- A mailing error has led to a potential healthcare data breach for Triple-S Advantage (Triple-S) members, according to an online company statement.
The Puerto Rico-based organization is an independent licensee of the BlueCross BlueShield Association.
Triple-S reported that it learned on December 5, 2017 that November 2017 mailings to healthcare providers were sent to the wrong address. Information included plan member names, health plan identification numbers, dates of service in which treatment was provided, and treatment codes.
The organization reported to OCR that 36,305 individuals may have been impacted.
“Triple-S Advantage has performed an extensive investigation into why and how their personal information was disclosed,” Triple-S stated, adding that there is no indication the information has been misused.
“We have taken immediate steps to ensure additional notices to our members and your health care providers are sent to the correct address, such as: correction of the mailing process, completion of testings and sending the letters to the correct address of your provider,” Triple-S continued. “The members who may have been affected by this incident will receive first-class mail notices.”
Triple-S also urged individuals to carefully review their Explanation of Benefits and that they continue to receive documents that they would normally receive regarding healthcare services or benefits.
Triple-S was part of a 2015 OCR HIPAA settlement, where Triple-S Management Corporation agreed to a $3.5 million settlement.
OCR reviewed five reported data breaches connected to Triple-S subsidiaries affecting over 500 individuals that took place between 2010 and 2015. The agency also investigated two data breaches that affected fewer than 500 individuals.
“This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information,” previous OCR Director Jocelyn Samuels explained in a statement.
Pharmacy email security compromised in CA
An email security issue led to limited pieces of patient information being accessed by an unauthorized individual, according to a Ron’s Pharmacy Services statement.
The California-based pharmacy explained that it identified unusual activity in an employee email account on October 3, 2017. Ron’s Pharmacy determined on December 21, 2017 that patient information had been viewed by an unauthorized party.
Patient names, Ron’s Pharmacy internal account numbers, and payment adjustment information may have been affected. A small number of impacted individuals may also have had their prescription medication information accessed. Social Security numbers, financial account information, or health insurance information were not involved.
Ron’s Pharmacy’s report to OCR stated that 6,781 individuals may have been impacted.
“Upon learning of the event, we immediately changed the credentials to the email account and launched an extensive internal investigation, which was supported by a third-party forensic investigation firm, into the nature and scope of the incident,” Ron’s Pharmacy President Ron Belville said in a statement.
“Once we confirmed protected health information was accessed without authorization, we immediately took steps to notify our impacted patients of the incident,” Belville continued. “We have provided additional staff training and are reviewing our policies and procedures to better protect against an event like this from happening again.”
North Carolina facility reports ransomware attack
Coastal Cape Fear Eye Associates (CCFEA) discovered on December 5, 2017 that ransomware had infiltrated a file on its computer system.
Malicious code prevented CCFEA from being able to access certain electronic files, but the organization was able to quarantine and remove the ransomware from the impacted file. CCFEA added that “until recently” it had been unable to access the data that was stored in the impacted file.
The OCR data breach reporting tool states that 925 individuals may have been impacted.
Information in the patient records included patient names, addresses, dates of birth, phone numbers, Social Security Numbers, insurance card numbers, driver’s license numbers, email addresses, ethnicities, emergency contacts, medical histories, medications, legal documents, diagnosis records, physician notes, medical diagrams, and billing and payment histories. Scanned copies of Medicare cards, insurance cards, and drivers’ licenses were also in the electronic files.
“Following an investigation by CCFEA and independent information technology professionals, it was determined that while there is no evidence that any of the data was removed from the files,” the organization stated. “Our investigation is ongoing and our information technology professionals are working to implement additional security measures to protect against future attacks.”
Individuals whose information was compromised will be receiving a data breach notification letter, along with steps individuals can take to protect their identity and information, CCFEA added.
PHI improperly transmitted to business associate
PHI was transmitted to a California pharmacy’s business associate for non-health related reasons, which is considered a data breach, according to an online statement.
RoxSan Pharmacy (RoxSan) reported that the data file was transferred to a business associate in the legal field on January 20, 2015. The file was sent to one individual who does have a business associate agreement in place with RoxSan.
The organization said that 1,049 patients will be notified that their information was involved in the incident.
The file contained records dated between April 2015 and August 2015. The records included prescription information, patient identification numbers, drug information, physician names, and insurance information. RoxSan added that patient names, addresses, or other personal identification information were not involved.
“RoxSan has not received any indication that the information has been accessed or used by any unauthorized individual,” the pharmacy explained. “RoxSan sincerely apologizes for the inconvenience and concern this incident may cause you and will continue to do everything it can to correct this situation and fortify its operational protections for you and others.”