70,320 Tufts Health Plan Members Affected by Window Envelope Privacy Breach

Tufts Health Plan is warning 70,320 of its subscribers that their health plan ID numbers have been accessed.

A mailing vendor/partner utilized by Tufts Health Plan sent Tufts Medicare Preferred ID cards to Medicare Advantage subscribers between December 11, 2017 and January 2, 2018.

Envelopes with plastic windows were used which naturally permitted plan members’ names and addresses to be visible, but Tufts Health Plan member IDs were also visible through the plastic windows of the envelopes. The mailing mistake was noticed by Tufts Health Plan on January 18.

Tufts Health Plan commented that its member IDs do not include Social Security numbers or Medicare numbers, but possibly the member ID numbers could be misused by people to obtain services included in the health plan.

Legal specialists were asked about the breach to assess the potential danger to plan subscribers. The danger of misuse of the numbers is thought to be minimal as the only people likely to see the member IDs would be postal service staff and members of the plan members’ own households. Plan subscribers have been told that in the unlikely event that their member IDs are improperly used they will not be liable for any charges.

Plan subscribers should review their Explanation of Benefits statements carefully and should report any services detailed on the statements that are invalid.

The health plan states that it has been working closely with its vendor to ensure incidents like this do not happen in the future. The mailing vendor has stated that the mistake that caused the privacy incident has now been corrected.

In this case, the privacy breach was limited and patients should not be adversely impacted, but similar incidents have been experienced at other healthcare groups that have caused serious issues for some people.

On July 28, 2017, a business associate of Aetna sent a mailing to almost 12,000 plan subscribers outlining a change to pharmacy benefits for individuals who were receiving HIV medications. The medications are used to treat HIV and are used as Pre-exposure Prophylaxis (PrEP) to stop contraction of HIV. Data about those medications could clearly be seen through the plastic windows of the envelopes. The disclosure was not restricted to the postal service. In some instances, the data was inadvertently disclosed to family members and live-in partners.

A class-action lawsuit was filed against Aetna which was settled for $17 million. Aetna was hit with a $1.15 million penalty by the New York Attorney General over the privacy violation and further steps may be taken against the health insurer by other state attorneys general and the HHS’ Office for Civil Rights (OCR).

Author: Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA