Scan Health Plan Reports PHI Breach

The protected health information (PHI) of some members of Scan Health Plan, Scan Health Plan Arizona, and VillageHealth has been accessed and potentially viewed by an unauthorized individual.

The PHI was stored on contact sheets that were used by Scan Health Plan for sales purposes. On June 27, 2016, Scan Health Plan discovered that those contact sheets had been accessed by an unauthorized third party. Upon discovery of the breach, access to the data was immediately terminated and a cybersecurity firm was brought in to conduct a full investigation.

The investigation revealed access to the system used to store the contact sheets was first gained by an unauthorized individual in March 2016, and access was possible until the end of June when the breach was discovered.

Data on the contact sheets include names, telephone numbers, and home addresses. Some members also had their date of birth, health notes, medical conditions, prescribed medications, and physician’s name compromised. No financial information or insurance policy numbers were exposed, although a limited number of individuals had their Social Security number compromised.

Scan Health Plan is taking steps to ensure that data breaches of this nature are prevented in the future. Action has also been taken to protect plan members from identity theft and other fraudulent uses of their data. At the present moment in time, no reports of fraudulent data use have been received by Scan Health Plan.

Typically, HIPAA covered entities that offer identity theft protection services to breach victims require individuals to enroll for those services within a limited timeframe – usually 3 months. Scan Health Plan has ensured that all breach victims benefit from the services, even if individuals do not sign up for the services promptly.

All individuals impacted by the breach have been offered 12 months of credit monitoring services from the date of the breach notification letter. Individuals signing up for the services will also be covered by a $1 million identity theft insurance policy.

Even if breach victims do not enroll for the services, assistance will be provided in the event that their data are used for fraudulent purposes. Identity theft victims can call AllClear ID and they will receive help to restore their identities and credit and recover any financial losses.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.