Blue Cross Blue Shield of Georgia mails the wrong information to the wrong people
Technorati Tag: Security Breach
Date Reported:
7/29/08
Organization:
WellPoint, Inc.
Contractor/Consultant/Branch:
Blue Cross and Blue Shield of Georgia
Victims:
Patients
Number Affected:
"more than 200,000"
Types of Data:
"name, ID number, the name of the medical provider delivering the service, and the amounts charged and owed" Also, "A small percentage" of the number affected contained Social Security numbers.
Breach Description:
"Georgia's largest health insurer sent an estimated 202,000 benefits letters containing personal and health information to the wrong addresses"
Reference URL:
WAGT-TV NBC News
Atlanta Journal-Constitution
WJBF-TV Channel 6 News
Report Credit:
Andy Miller, The Atlanta Journal-Constitution
Response:
From the online sources cited above:
Georgia's largest health insurer sent an estimated 202,000 benefits letters containing personal and health information to the wrong addresses last week, in a privacy breach that also raised concerns about potential identity theft.
Blue Cross and Blue Shield of Georgia said Monday that the erroneous mailings were primarily Explanation of Benefits (EOB letters, which include the patient's name and ID number, the name of the medical provider delivering the service, and the amounts charged and owed.
"A small percentage" of letters also contained the patient's Social Security numbers, said Cindy Sanders, a Blue Cross spokeswoman
The EOB forms were mailed to the addresses of other Blue Cross policyholders.
The security breach may be a violation of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protects patients' medical information.
[Evan] Whether or not this is a violation will be debated for some time to come. Judge for yourself (HIPAA Security Standard). Even if it is a violation, sanctions are rare (which takes the bite out of the legislation). If there are no (or little) consequences for non-compliance, what is left to motivate organizations to comply?
While the insurer said it was still determining the number of letters involved, state Insurance Commissioner John Oxendine, whose office is investigating the problem, gave a preliminary estimate of 202,000.
That figure does not equal the number of patients affected, though, because some would have received multiple EOBs if they had visited several medical providers, Oxendine said.
"This is very, very serious," Oxendine said.
A person with knowledge of medicine or billing, for example, could determine if the patient was treated for cancer, HIV or fertility problems, he said.
[Evan] In my opinion, the disclosure of medical information poses a more serious long-term problem than does the disclosure of financial information or Social Security numbers.
Blue Cross said the mix-up was caused by a change in the computer system that was not properly tested.
[Evan] At least Blue Cross is honest. There is little excuse for this however. Testing is an ABSOLUTE MUST in the change control process.
"As soon as we became aware of the mailing error, we worked to determine the exact cause, and we have made changes to prevent it from happening again in the future," Sanders said.
[Evan] How? What changes did Blue Cross implement to prevent this from happening again? Did they just fix the "computer system", did the fix the change control problem, was anyone held accountable for the mistake?
The error occurred statewide and affected both employer and individual health benefit plans.
Blue Cross' parent company, Indianapolis-based WellPoint, "is committed to protecting the privacy and security of all members' health information and is working diligently to mitigate any impact which may result from this operational error," Sanders said.
[Evan] How easy is it to make statements like this, and how hard is it to put these words into action?
Oxendine said he ordered the company to provide free credit monitoring for affected patients for one year.
Blue Cross also must give written notice to policyholders whose names were on the EOBs and compile a list of names of those who erroneously received the forms.
Blue Cross is in the process of removing all Social Security numbers from such future mailings, Sanders said.
[Evan] Like I said earlier, I would be more concerned about the medical information long-term.
Rhonda Bloschock, a registered nurse in Atlanta, said Monday that she discovered EOB forms from nine other patients in a large envelope she received Friday from Blue Cross.
"This is a serious privacy breach," Bloschock said. Nurses and other hospital staff "jump through all sorts of hoops protecting people's privacy," she said.
Since the passage of HIPAA, health insurers, hospitals, doctors and other medical providers have increased their efforts at protecting the privacy of medical records. And consumers have become more attuned to privacy issues, said Anne Adams, chief privacy officer for Emory Healthcare.
[Evan] The key is "consumers have become more attuned to privacy issues". Consumers have all the power to drive change. A single consumer may feel powerless, but as more and more consumers become aware, changes start to happen.
"There is an expectation that their personal information is protected and not used inappropriately," Adams said.
[Evan] Absolutely! The data owners' (consumers) expectations are one thing and the data custodians' (organizations) practices are another.
But with the movement toward keeping health records electronically, there's more potential for breaches to happen, Adams said.
Joy Pritts, director of Georgetown University's Center on Medical Record Rights and Privacy, said the push for electronic medical records "should proceed hand in hand with additional privacy and security protections."
Policyholders who received an incorrect EOB should contact Blue Cross's dedicated toll-free number at between 7 a.m. and 9 p.m. Monday through Friday.
Members who may have received an EOB of another individual should return it to Blue Cross. The company will provide a postage-paid envelope.
Commentary:
The disclosure of medical information could potentially be devastating to an individual. Do you think it is conceivable that a person whose medical condition is disclosed can be turned down for health insurance and never know why? People can recover from identity theft, albeit a HUGE hassle. How do people recover from medical information disclosure?
Past Breaches:
WellPoint, Inc.:
April, 2008 - WellPoint customer information exposed for a year
Blue Cross Blue Shield:
March, 2008 - 40,000 BlueCross BlueShield members notified of lost laptop
Date Reported:7/29/08
Organization:
WellPoint, Inc.
Contractor/Consultant/Branch:
Blue Cross and Blue Shield of Georgia
Victims:
Patients
Number Affected:
"more than 200,000"
Types of Data:
"name, ID number, the name of the medical provider delivering the service, and the amounts charged and owed" Also, "A small percentage" of the number affected contained Social Security numbers.
Breach Description:
"Georgia's largest health insurer sent an estimated 202,000 benefits letters containing personal and health information to the wrong addresses"
Reference URL:
WAGT-TV NBC News
Atlanta Journal-Constitution
WJBF-TV Channel 6 News
Report Credit:
Andy Miller, The Atlanta Journal-Constitution
Response:
From the online sources cited above:
Georgia's largest health insurer sent an estimated 202,000 benefits letters containing personal and health information to the wrong addresses last week, in a privacy breach that also raised concerns about potential identity theft.
Blue Cross and Blue Shield of Georgia said Monday that the erroneous mailings were primarily Explanation of Benefits (EOB letters, which include the patient's name and ID number, the name of the medical provider delivering the service, and the amounts charged and owed.
"A small percentage" of letters also contained the patient's Social Security numbers, said Cindy Sanders, a Blue Cross spokeswoman
The EOB forms were mailed to the addresses of other Blue Cross policyholders.
The security breach may be a violation of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protects patients' medical information.
[Evan] Whether or not this is a violation will be debated for some time to come. Judge for yourself (HIPAA Security Standard). Even if it is a violation, sanctions are rare (which takes the bite out of the legislation). If there are no (or little) consequences for non-compliance, what is left to motivate organizations to comply?
While the insurer said it was still determining the number of letters involved, state Insurance Commissioner John Oxendine, whose office is investigating the problem, gave a preliminary estimate of 202,000.
That figure does not equal the number of patients affected, though, because some would have received multiple EOBs if they had visited several medical providers, Oxendine said.
"This is very, very serious," Oxendine said.
A person with knowledge of medicine or billing, for example, could determine if the patient was treated for cancer, HIV or fertility problems, he said.
[Evan] In my opinion, the disclosure of medical information poses a more serious long-term problem than does the disclosure of financial information or Social Security numbers.
Blue Cross said the mix-up was caused by a change in the computer system that was not properly tested.
[Evan] At least Blue Cross is honest. There is little excuse for this however. Testing is an ABSOLUTE MUST in the change control process.
"As soon as we became aware of the mailing error, we worked to determine the exact cause, and we have made changes to prevent it from happening again in the future," Sanders said.
[Evan] How? What changes did Blue Cross implement to prevent this from happening again? Did they just fix the "computer system", did the fix the change control problem, was anyone held accountable for the mistake?
The error occurred statewide and affected both employer and individual health benefit plans.
Blue Cross' parent company, Indianapolis-based WellPoint, "is committed to protecting the privacy and security of all members' health information and is working diligently to mitigate any impact which may result from this operational error," Sanders said.
[Evan] How easy is it to make statements like this, and how hard is it to put these words into action?
Oxendine said he ordered the company to provide free credit monitoring for affected patients for one year.
Blue Cross also must give written notice to policyholders whose names were on the EOBs and compile a list of names of those who erroneously received the forms.
Blue Cross is in the process of removing all Social Security numbers from such future mailings, Sanders said.
[Evan] Like I said earlier, I would be more concerned about the medical information long-term.
Rhonda Bloschock, a registered nurse in Atlanta, said Monday that she discovered EOB forms from nine other patients in a large envelope she received Friday from Blue Cross.
"This is a serious privacy breach," Bloschock said. Nurses and other hospital staff "jump through all sorts of hoops protecting people's privacy," she said.
Since the passage of HIPAA, health insurers, hospitals, doctors and other medical providers have increased their efforts at protecting the privacy of medical records. And consumers have become more attuned to privacy issues, said Anne Adams, chief privacy officer for Emory Healthcare.
[Evan] The key is "consumers have become more attuned to privacy issues". Consumers have all the power to drive change. A single consumer may feel powerless, but as more and more consumers become aware, changes start to happen.
"There is an expectation that their personal information is protected and not used inappropriately," Adams said.
[Evan] Absolutely! The data owners' (consumers) expectations are one thing and the data custodians' (organizations) practices are another.
But with the movement toward keeping health records electronically, there's more potential for breaches to happen, Adams said.
Joy Pritts, director of Georgetown University's Center on Medical Record Rights and Privacy, said the push for electronic medical records "should proceed hand in hand with additional privacy and security protections."
Policyholders who received an incorrect EOB should contact Blue Cross's dedicated toll-free number at between 7 a.m. and 9 p.m. Monday through Friday.
Members who may have received an EOB of another individual should return it to Blue Cross. The company will provide a postage-paid envelope.
Commentary:
The disclosure of medical information could potentially be devastating to an individual. Do you think it is conceivable that a person whose medical condition is disclosed can be turned down for health insurance and never know why? People can recover from identity theft, albeit a HUGE hassle. How do people recover from medical information disclosure?
Past Breaches:
WellPoint, Inc.:
April, 2008 - WellPoint customer information exposed for a year
Blue Cross Blue Shield:
March, 2008 - 40,000 BlueCross BlueShield members notified of lost laptop
Posted by Evan Francen at 8/1/2008 9:26 AM 
Categories: BlueCross BlueShield, Mailing Error, WellPoint
Categories: BlueCross BlueShield, Mailing Error, WellPoint
Posts Atom 1.0
So how do I know if my info was sent tosomeone else?
Reply to this
Lee,
Unfortunately, you will have no way of knowing for sure. If you are concerned, I would encourage you to contact Blue Cross via the dedicated toll-free number at between 7 a.m. and 9 p.m. Monday through Friday.
Feel confident in knowing that you are the owner of your information and as such you should be able to demand answers to your questions.
Feel free to contact me if you think I can help.
-Evan
Reply to this
So, who is starting the class action lawsuit? I'm ready to get on board. This security breach is a violation of the HIPAA act.
Reply to this
this situation involves my family. I am interested in what developes with this matter..
Reply to this
Surprisingly, this isn't new to me. I do billing for a surgeon and often times I will see an insurance company (UnitedHealthcare) pulling money back from someone who the doctor has never even seen (they don't even live in any of the surrounding states!). We called and they reported it was in error and that's about it.
Reply to this