- A vendor that handles the mailing of member identification (ID) cards reportedly sent out envelopes with patient information visible in the mailing window, which created a Tufts Health Plan data breach.
Tufts Medicare Preferred ID cards were sent out to Medicare Advantage members between December 11, 2017 and January 2, 2018, Tufts said in a statement. The error was discovered on January 18, 2018.
The Massachusetts-based health insurance company reported to OCR that 70,320 individuals may have been impacted.
Member names, addresses, and Tufts Health Plan member ID numbers were visible in the envelope window.
“We have consulted with experts in the legal and fraud areas, and we have determined that this situation presents a very low risk to any member’s personal information,” Tufts explained. “We have no indication that anyone other than the postal service would have been able to view the member ID number while the letter was in transit to the member.”
Tufts Health Plan members will not be responsible for any charges that potentially occur if member names or ID numbers “are used by another person to receive services covered by Tufts Health Plan,” the statement added.
Tufts said the error has been fixed at the vendor and that it is continuing to work with the vendor to prevent similar incidents from happening in the future.
“Our Customer Relations team has verification procedures in place to ensure that we will not provide confidential member information to anyone but the member or their authorized representative,” Tufts explained.
Unfortunately, mailing errors where sensitive information is visible through envelope windows is not a new occurrence and can also lead to expensive settlements.
Aetna reached a $17,161,200 settlement in January 2018 following a 2017 data breach from that potentially exposed the information of 12,000 individuals. Aetna sent letters in the mail where information about ordering prescription HIV drugs was clearly visible through the envelope's clear window.
“…the instructions for the recipient to fill their HIV medication prescription was plainly visible through the large-window section of the envelope,” the original lawsuit read. “Specifically, the visible portion of the letter clearly indicated that it was from Aetna, included a claims number and information for the addressee, and stated ‘[t]he purpose of this letter is to advise you of the options…Aetna health plan when filling prescriptions for HIV Medication…’”
Additionally, those letters were originally sent to in response to a settlement over a previous data privacy violation concern. Aetna had been sued in two separate class-action lawsuits in 2014 and 2015.
“Those lawsuits alleged that Aetna jeopardized the privacy of people taking HIV medications by requiring its insureds to receive their HIV medications through mail and not allowing them to pick up their medications in person at the pharmacy,” the 2017 lawsuit explained.
New York also reached a $1.15 million settlement with Aetna over the 2017 data exposure. New York Attorney General Eric Schneiderman explained in a statement that the HIV status of 2,460 New Yorkers was exposed in the incident.
“Through its own carelessness, Aetna blatantly violated its promise to safeguard members’ private health information,” Schneiderman said. “Health insurance companies handle personal health information on a daily basis and have a fundamental responsibility to be vigilant in protecting their members. We won’t hesitate to act to ensure that insurance companies live up to their responsibilities to the New Yorkers they serve.”
While investigating the 2017 mailing error, the New York AG office discovered another Aetna data breach.
Aetna sent 163 New Yorkers a mailing containing materials related to a research study regarding atrial fibrillation (AFib) on September 25, 2017, the AG office explained.
“Aetna’s mailing to members with AFib used envelopes that displayed the logo of the research study, ‘IMACT-AFIB,’ easily viewed by third parties – which could have been interpreted as indicating that the recipient member had an AFib diagnosis,” the statement read.
Whether healthcare organizations work with a vendor for external mailings to members and patients or they handle the mailings themselves, extreme care must be taken with PHI security. Covered entities and business associates need to ensure that appropriate safeguards are in place to prevent data in all forms from inadvertent exposure.