PHIPrivacy.net reminded us that many of the mistakes made in data breaches involve human error, as there have been three separate instances of CareFirst, a healthcare insurer, making patient mailing mistakes. In all three cases, CareFirst reported the incident to the Office for the Attorney General (OAG).
The first instance occurred when a CareFirst associate mistakenly mailed a patient’s receipt that included their Social Security number to the wrong patient. Though the unintended recipient returned the receipt to CareFirst and the company doesn’t believe that the information has been misused, it offered the affected patient a year of free credit monitoring.
Next, there was the instance in which five Maryland residents had their claims for a union healthcare plan, which included Social Security numbers, names, addresses and dates of birth, sent to the wrong claims administrator.
Again, while CareFirst believes there has been no harm done because the administrator sent the claims to the correct office, it also offered those patients free credit monitoring for a year.
Lastly, CareFirst told OAG of another breach where two Maryland residents had their protected data accessed inappropriately. In responding to Full and Fair Review Act requests, a CareFirst employee mailed information such as Social Security numbers, names, addresses and dates of birth to the wrong addresses. According to the document, only one of the unintended recipients sent the information back and it’s unknown where the second patient’s data is. CareFirst offered both patients credit monitoring as well.
Health Resources of Arkansas
Other physical breaches can’t be avoided, such as at Health Resources of Arkansas, where 1,911 patient records were potentially compromised on April 14, 2013. One of its locations was robbed and though no records were stolen, the office did contain protected health information (PHI) such as name, address, date of birth, Social Security number, diagnosis, type of treatment, class attended, court information, services provided or insurance information of persons served by that location.
Health Resources of Arkansas said it was HIPAA-compliant in locking up the PHI and no harm was done to patients as a result of the break-in, but it still alerted patients of the breach on May 20.