- Horizon Blue Cross Blue Shield of New Jersey (Horizon BCBSNJ) announced earlier this month that one of its vendors potentially exposed the information of up to 170,000 members in a potential data breach.
Command Marketing Innovations (CMI) did print work for Horizon BCBSNJ, and discovered a printing error that may have allowed members and providers to receive Explanation of Benefits (EOB) statements and Explanation of Payment (EOP) statements with information intended for a different Horizon BCBSNJ member or provider.
Only EOBs and EOPs that were mailed on October 31, November 1 and November 2, 2016 were affected by the printing error.
Horizon spokesman Kevin McArdle told NJ.com that while approximately 170,000 envelopes were mailed in that three day period, it is unclear how many contained the information of other members. He added that he was not aware of reports of suspicious activity as a result of the privacy breach.
Potentially exposed information includes member name, member ID number, claim number, date of service, limited description of services, service codes or provider/facility name. Social Security numbers, financial information, addresses, and dates of birth were not included.
“The print error was determined to be related to a change in the printing process made by CMI,” the statement explained. “CMI has implemented corrective actions to restore compliance with Horizon BCBSNJ’s strict quality control and privacy standards and assure accurate performance going forward.”
Horizon BCBSNJ added that it will monitor impacted members’ accounts for any potential fraudulent submission of medical claims.
“Corrected EOBs and EOPs will be reissued within the next week and notifications of the error will be mailed to impacted Horizon BCBSNJ members,” the statement explained.
Network error creates privacy incident for Kaiser Permanente locations
Kaiser Permanente Health Plan, Inc of Northern California, Kaiser Permanente Health Plan, Inc of Southern California, and Kaiser Foundation Health Plan of the Northwest are notifying individuals that some of their PHI may have been viewed for approximately two hours during October 12th into October 13th, 2016.
The OCR data breach reporting tool shows that 8,020 individuals were potentially affected by the three separately reported incidents.
A copy of the data breach notification letter was posted to the California Office of the Attorney General’s website, and said that the website error that caused the information to be exposed has since been fixed. Kaiser added that it is reviewing its “processes and procedures for testing website updates to help prevent any similar incident in the future.”
“The error happened during an upgrade to kp.org that occurred at 11:26 p.m. Pacific time on October 12th, 2016. We took immediate action to repair the error, preventing any further exposure of member information after 1:43 a.m. Pacific time on October 13th, 2016. The upgrade changed how the website stored data to make loading website pages quicker. However, the upgrade mistakenly allowed confidential data viewed by members who signed in to kp.org to potentially be seen by other visitors.”
The letter did not specify what information was potentially exposed, but said that Social Security numbers and banking information were not included.
Ransomware attack hits Texas dermatology clinic
Dr. Robert J. Magnon of Seguin Dermatology in Texas recently announced that the clinic was hit with a ransomware attack “on or around September 12, 2016.” The malware encrypted the Seguin server, but the facility was able to remove the ransomware from the server, according to a press release posted to the Seguin website.
A forensic exam determined that some patient PHI may have been on the affected server. While medical records, laboratory reports, credit card information or bank account information were not included, certain demographic information may have been affected. This includes patient names, addresses, telephone numbers, and dates of birth. Insurance billing information and current Procedural Technology (CPT) codes may also have been included. Some patients may also have had their Social Security numbers in the server, according to Seguin.
“Upon learning the results of the forensic investigation, we immediately took steps to notify all affected patients,” the statement explained. “To prevent this from happening again, we are conducting a review of our physical and computer security, reassessing our office’s policies and procedures, and performing staff training. We continue to monitor the situation and will notify you as necessary.”
Seguin did not state how many patients were potentially affected by the ransomware attack. However, the clinic said that those who had their Social Security numbers included would be able to work with an identity and credit protection service.
Improper PHI disposal creates data security incident
Texas-based Austin Pulmonary Consultants (Austin) reported that an improper disposal of documents meant for shredding may have led to a data security incident for some patients and their payment guarantors.
Austin explained in a statement on its website that it learned on September 8, 2016 that a cleaning services vendor improperly disposed of documents that had been designated for shredding.
The documents may have included personal information and PHI for approximately 889 patients, according to the OCR data breach reporting tool.
There is no indication that the data has been misused, Austin said, and it does not anticipate any future disclosure or misuse of the information.
Information in the documents may include patients’ names, addresses, dates of birth, Social Security numbers, and medical information. For the payment guarantors, their names, addresses, Social Security numbers, and medical payment information may have been included in the records.
Notification letters were mailed on November 7, 2016, and a toll-free call center has been established to answer any questions that individuals may have.
“In addition, we have taken immediate steps to prevent a similar event from occurring in the future, including working closely with the vendor to retrain its staff regarding proper disposal methods and implementing additional security measures pertaining to the disposal of records,” the statement explained.
New York provider reports privacy incident from mailing error
EmblemHealth announced on its website that one of its companies, Group Health, Inc. (GHI), was recently involved in a potential privacy incident after a mailing error.
GHI reportedly mailed patients a copy of their Medicare Prescription Drug Plan Evidence of Coverage in early October. However, EmblemHealth said it learned on October 13, 2016 that there was an unintentional disclosure of individuals’ Health Insurance Claim Number (HICN) from the mailing.
According to EmblemHealth, GHI assigns each member a “mailing identifier” number, which is randomly selected and does not contain member information.
“Our investigation found that, while preparing the Evidence of Coverage documents for mailing, HICNs were inadvertently included in the electronic file sent to EmblemHealth’s vendor and were then disclosed on the external mailing label that was affixed to the package,” the data breach notification letter read.
In this instance though, the mailing identifier was mistakenly replaced with patients’ HICNs, which mirrors their Social Security numbers.
“As a result, your proper name and address appeared on the external mailing label of the evidence of coverage documents, along with the nine digits of your Social Security number that were listed as the package number (PKG#) located above the barcode,” the letter explained.
The nine digits were not identified as being individuals’ Social Security numbers, EmblemHealth stated, and no health information or financial information were disclosed.
Affected patients will be offered 24 months of complimentary identity protection services, free credit monitoring, and up to $1 million of identity theft insurance coverage.