70,320 Tufts Health Plan Members Affects in Window Envelope Privacy Breach

Tufts Health Plan is warning 70,320 of its subscriber that their health plan ID numbers have been accessed.

A mailing vendor/partner utilized by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage subscribers between December 11, 2017 and January 2, 2018.

Envelopes with plastic envelopes were used which naturally permitted plan members’ names and addresses to be visible, but Tufts Health Plan member IDs were also visible via the plastic windows of the envelopes. The mailing mistake was noticed by Tufts Health Plan on January 18.

Tufts Health Plan commented that its member IDs do not include Social Security numbers or Medicare numbers, but possibly the member ID numbers could be misused by people to receive services included in the health plan.

Legal specialists were asked about the breach to assess the potential danger to plan subscribers. The danger of misuse of the numbers is thought to be minimal as the only people likely to see the member IDs would be postal service staff. Plan subscribers have been told that in the unlikely event that their member IDs are improperly used they will not be liable for any charges.

Plan subscriber should review their Explanation of Benefits statements carefully and should report any services detailed on the statements that are invalid.

The health plan states that it has been working closely with its vendor to ensure  incidents like this do not happen in the future. The mailing vendor has stated that the mistake that caused the privacy incident has now been mended.

In this case, the privacy breach was restricted and patients should not be adversely impacted, but similar incidents have been experienced at other healthcare groups that have caused serious issues for some people.

On July 28, 2017, a business associate of Aetna sent a mailing to almost 12,000 plan subscribers outlining a change to pharmacy benefits for individuals who were receiving HIV medications. The medications are used to treat HIV and as Pre-exposure Prophylaxis (PrEP) to stop contraction of HIV. Data about those medications could clearly be seen through the plastic windows of the envelopes. The disclosure was not restricted to the postal service. In some instances, the data was inadvertently disclosed to family members and living partners.

A class-action legal action was filed against Aetna which was settled for $17 million. Aetna was hit with a $1.15 million penalty by the New York Attorney General over the privacy violation and further steps may be taken against the health insurer by other state attorneys general and the HHS’ Office for Civil Rights (OCR).

Author: Security News