- PHI on close to 20K children was exposed in a healthcare data breach when WellCare Health Plans, which administers the Missouri Medicaid plan, sent letters to the wrong addresses, the Kansas City Star reported Aug. 29.
The company said that it discovered July 25 that a mailing error had caused reminders about well-child visits for its Missouri Care members to be sent to the wrong people.
Information that may have been exposed included the child’s name, age, and provider name.
“As we continue to investigate the scope of the incident, we are taking steps to prevent something like this from happening again,” said Ted Webster, vice president and chief security and privacy officer at WellCare.
“Missouri Care is deeply committed to protecting our members’ privacy, and we apologize for any inconvenience this incident may have caused.”
WellCare said it is providing those affected by the breach with one year of free credit monitoring services.
Missouri Care plans cover 275,000 people throughout the state and focus mainly on children and pregnant women, according to the newspaper.
Back in June of this year, WellCare reported to OCR that an unauthorized access/disclosure of PHI occurred that affected 1,101 individuals. WellCare did not provide additional details about that breach.
Last August, WellCare reported a breach of personal information on 1,223 members that it blamed on a subcontractor, O’Neil Printing, the newspaper noted. Names, dates of birth, and Medicaid account numbers were exposed in that breach.
In January last year, WellCare said it was informed that Summit Reinsurance Services, WellCare’s former reinsurance services provider, had experienced a ransomware attack on August 8, 2016. Summit reported that the information that was encrypted may have included names, birth dates, addresses, member IDs, diagnoses, provider names and locations, and Social Security numbers. SummitRe’s system was first accessed on March 12, 2016.
In December 2014, WellCare admitted to another mailing snafu that exposed PHI on 500 people in New York.
WellCare notified Medicare subscribers at the end of November of that year about the breach. It blamed the problem on a third-party vendor that experienced a computer coding error, which caused denial letters to be sent to the wrong members. The compromised data included patients’ names, addresses, member ID numbers, and descriptions of the procedures.
WellCare stressed that specific diagnoses were not revealed and that Social Security numbers and other financial information were not compromised.
A total of 47 people were notified in Monroe County, while the insurer notified more than 500 people in the entire state of New York.
While dealing with data breaches, WellCare has also been active on the acquisition front. In May, it confirmed its $2.5 billion purchase of Meridian Health Plan of Michigan, Meridian Health Plan of Illinois, and MeridianRx.
The acquisition is seen as an effort by WellCare to expand its footprint in the Medicaid and Medicare Advantage (MA) markets.
Meridian’s health plan products serve more than 1 million Medicaid, MA, dual-eligible, and marketplace beneficiaries. The acquisition adds 508,000 Medicaid members in Michigan, 565,000 Medicaid members in Illinois, and 27,000 MA members to WellCare’s beneficiary populations.
The purchase will result in WellCare becoming the largest Medicaid plan provider in Michigan and will expand WellCare’s Medicaid market position in five other states.
WellCare estimate that the purchase will provide an additional $4.3 billion to annual revenues.
“Meridian is a well-performing health plan, and WellCare and Meridian share a similar commitment to serving our members through a comprehensive, integrated approach to healthcare,” said WellCare CEO Ken Burdick.
“This transaction strategically aligns with our focus on government-sponsored health plans, will strengthen our capabilities and growing business, and will meaningfully advance our growth agenda,” he added.
This month, WellCare said it was selling about $1.1 billion in stock and issuing around $700 million in new debt as part of its plan to pay for the Meridian purchase.