HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Window Envelope Privacy Breach Exposes ID Numbers of 70,320 Tufts Health Plan Members

Tufts Health Plan is alerting 70,320 of its members that their health plan member ID numbers have been exposed.

A mailing vendor used by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage members between December 11, 2017 and January 2, 2018.

Window envelopes were used which naturally allowed plan members’ names and addresses to be seen, but Tufts Health Plan member IDs were also visible through the plastic windows of the envelopes. The mailing error was discovered by Tufts Health Plan on January 18.

Tufts Health Plan notes that its member IDs are not comprised of Social Security numbers or Medicare numbers, but potentially the member ID numbers could be misused by individuals to receive services covered by the health plan.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Legal experts were consulted about the breach to assess the potential risk to plan members. The risk of misuse of the numbers is believed to be very low as the only individuals likely to see the member IDs would be employees of the postal service. Plan members have been told that in the unlikely event that their member IDs are misused they will not be responsible for any charges.

Plan members should check their Explanation of Benefits statements carefully and should report any services detailed on the statements that have not been received.

The health plan reports that it has been working closely with its vendor to ensure similar incidents do not occur in the future. The mailing vendor has confirmed that the error that caused the privacy incident has now been fixed.

In this case, the privacy breach was limited and patients should not be adversely affected, but similar incidents have occurred at other healthcare organizations that have caused serious problems for some individuals.

On July 28, 2017, a business associate of Aetna sent a mailing to approximately 12,000 plan members detailing a change to pharmacy benefits for individuals who were receiving HIV medications. The medications are prescribed to treat HIV and as Pre-exposure Prophylaxis (PrEP) to prevent contraction of HIV. Information about those medications were clearly visible through the plastic windows of the envelopes. The disclosure was not limited to the postal service. In some cases, the information was inadvertently disclosed to family members and roommates.

A class-action lawsuit was filed against Aetna which was recently settled for $17 million. Aetna was also fined $1.15 million by the New York Attorney General over the privacy breach and further actions may be taken against the health insurer by other state attorneys general and the HHS’ Office for Civil Rights.

A similar privacy incident affected Amida Care in 2017, again involving information related to HIV. In that case, the words “Your HIV detecta” were visible through the clear plastic windows of envelopes next to the name and the address, even though an additional sheet of paper had been inserted to prevent information on the enclosed double-sided flyer from being visible.

These incidents clearly highlight the risks of using window envelopes for healthcare mailings. If the decision is taken to use this type of envelope, stringent checks should be conducted to ensure that the letters cannot slip to reveal sensitive information and that the content of the mailings cannot be seen.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.