HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Printing Errors Cause 3 Health Plan Data Breaches

Office for Civil Rights has received three separate reports of unauthorized disclosures caused by printing errors. Two incidents were discovered by Blue Cross and Blue Shield of North Carolina (BCBSNC) which affected 807 and 1530 plan members, while New York-based Affinity Health Plan has started notifying 721 members that their data was accidentally disclosed because of a printing error.

Two Blue Cross and Blue Shield of North Carolina Printing Errors Discovered


In August 2015, 2,300 BCBSNC plan members had some of their personal information disclosed to other plan members. The first error was brought to the attention of BCBSNC on August 14 after complaints were received about a recent mailing sent to its subscribers.

A printing error saw members’ billing information printed on the reverse side of other plan members’ invoices. No personal financial information was disclosed; although some plan members did have their names, addresses, coverage dates, premium amounts, and internal BCBSNC account numbers disclosed. The incident did not result in the unauthorized disclosure of BCBSNC member identification numbers according to the breach notice.

A second error was discovered by BCBSNC a few days later on August 24. Plan members had been sent information intended for other subscribers. In this incident, payment amounts, payment ID numbers, health insurance marketplace identification numbers, details of health plans purchased, and their effective dates were disclosed.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

An error was made on a spreadsheet which resulted in the wrong information being sent to the printers. Affected individuals are not believed to face an increased risk of suffering insurance fraud, although HIPAA Rules required notifications to be sent to patients nonetheless to alert them to the privacy breach.

BCBSNC has taken action to prevent similar incidents from occurring in the future. To prevent spreadsheet errors, BCBSNC has implemented a new quality review process and its mailing vendor has similarly reviewed its standard operating procedures and has “implemented a new quality control process” to identify mistakes before letters are mailed.

New letters were printed containing the correct information and have now been mailed to those affected, as have HIPAA breach notification letters.

Affinity Health Plan Printing Error Exposes Plan ID Numbers and Children’s Names


Interestingly, on the same day that BCBSNC discovered a mailing error, Affinity Health Plan also discovered a double-sided printing error, with different patient’s data printed on each side of the page.

721 Affinity Health Plan members were sent an appointment reminder on August 4, 2015. Members were asked to make an appointment with Affinity Recertification Representative in order to complete a Child Health Plus renewal application. However, on the reverse side, the same message had been printed in a different language, but included other members’ addresses. The name of the member’s child was also detailed in the mailing along with their unique Affinity plan ID number.

In this case, although plan member numbers were disclosed, it would not be possible for any of the information to be used to obtain medical services, make insurance claims or obtain further information about either plan members or their children. Affinity Health Plan informed affected individuals that there are security controls in place to prevent that from happening. In the breach notification letter sent to affected members, they have been advised to securely dispose of the letters.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.