DEL.ICIO.USThe Atlanta Journal-Constitution
Published on: 04/08/08
Private records of up to 71,000 Georgia families who are members of health insurance programs for the poor or working poor were accidentally made available on the Internet for several days, and some of the data may have been viewed by unauthorized people, Tampa-based WellCare Health Plans Inc. said today.
[Post a comment on this story below.]
|
Affected families are members of WellCare of Georgia, which is part of WellCare Health Plans, said WellCare spokeswoman Amy Knapp.
She said a human error allowed the information to be accessible for an unknown period of time, but that the secret data was removed from the Internet on April 2. It was not immediately known when the data breach occurred or how long the secret data was available.
The state of Georgia said it was notified March 31.
Knapp said there are 450,000 members of WellCare of Georgia. Those whose data was made available on the Internet included members of Medicaid, the federal health program for the poor, and PeachCare for Kids, a federal-state insurance plan for children of the working poor.
Knapp said letters were being sent to 71,000 Georgia families possibly affected.
WellCare of Georgia is a partnership between the Georgia Department of Community Health and private health care management organizations, she said.
She said about 10,500 members' Social Security numbers may have been viewed by unauthorized people on the Internet, all members of Medicaid or PeachCare.
"There is a possibility that an initial 59,000 members may have had some personal information made accessible, so we are notifying them as well, just to be safe," Knapp said.
A Web developer prepared a copy of a DCH report folder that was "to be deployed to our Georgia Web portal" but instead made it accessible on the Internet. She said at least 53 folders of names were accessed 248 times.
She also said it could not be determined which secret pages had been viewed.
WellCare said in a statement that it is believed the mistake involved "only our Georgia Families membership in Georgia, and not our Medicare, coordinated care, private fee-for-service or prescription drug plan membership."
"The files exposed did not contain credit card, debit card or financial account numbers," the WellCare statement said. "They may have contained personal identifying information, such as a member's name, birth date, dates of eligibility, Medicaid or PeachCare for Kids member identification number, Social Security number or other health plan related information.
"At this time, WellCare is not aware of any misuse of its member information due to the accidental exposure of the file on the Internet," the statement said. "WellCare is now notifying in writing the members who could have been affected by this incident. Members should receive those letters by the middle of this week."
The company also said it is offering to "pay for one year of credit monitoring for those individuals."
The state Department of Community Health said it had no comment on the breach, and that it could not say how many of the letters would go to PeachCare for Kids or Medicaid members.
Lisa Marie Shekell, a spokesman for DCH, said the state was notified of the mistake on March 31.
Mike Cotton, president of WellCare's Georgia region, said it "takes the privacy an security of personal information very seriously" and has retained a national information technology company "to perform a full assessment of its security and privacy controls.
WellCare provides managed care exercises exclusively for government-sponsored health care programs, focusing on Medicaid and Medicare. It offers a variety of health plans for families, children, the aged, blind and disabled, and has 2.3 million members nationwide.
Shekell said 237,437 Georgia families are members of PeachCare for Kids. She said it could not be immediately determined how many Georgia families are on Medicaid.
"Privacy and security of personal information is an essential in health care data systems," Shekell said. "We respect the expectations of our program members that their information be managed in the most secure manner and that they be informed if errors do occur."
She said the state "required WellCare to send out individual letters to notify affected members and provide them with information about credit monitoring services."
Vote for this story!
More on ajc.com
- Private state medical data posted on Net (04/09/2008)
- Private medical data exposed, raising ID theft risk (07/29/2008)
- Private medical data exposed (07/29/2008)
- Steps to prevent medical ID theft (07/25/2008)
- THINKING RIGHT: The smoker, felon voters, frozen food (06/20/2008)
- Feds told of records breach (04/10/2008)
- 71,000 warned about identity theft after records breach (04/09/2008)
- WHAT THE FINANCIAL CRISIS MEANS LOCALLY (09/30/2008)
- Local impact of financial crisis (09/29/2008)
- Formula misses bigger picture, bank VP says (09/28/2008)
Inside AJC.COM
Atlanta's best shoe store
Is it therapy to buy a pair of shoes? Discuss ... or nominate your favorite place to find those shoes!
More meat, please
McDonald's has unveiled a line of bigger burgers that will satisfy large appetites and scare cardiologists.
BET Awards
Photos: Janet Jackson, Monica, Maxwell, Jamie Foxx, New Edition, Keri Hilson, Ciara and more!
Private Quarters Splurge
Husband and wife architects created a modern house that's still warm and inviting.
She lost 60 pounds!
"My confidence is through the roof ... I can do anything," says Sonya Moste of Fayetteville.
Ultimate Braves fans
Francoeur's Franks? Shef's Chefs? Just some of the passionate fans who have cheered the team.
Search
Do Good Locally » Find nonprofit causes near you
Services » Find the right people for the job
We want to know what you think
Customer Care »
Vacation stops, manage subscriptions and more
AJC Services
News Sections
Other Editions
Guides
Visitor Agreement | Privacy Statement
© 2009 The Atlanta Journal-Constitution
Comments
By thisnthat
Apr 14, 2008 8:44 AM | Link to this
I do not remember the specifics under the HIPAA privacy and security requirements, but I know that a hospital would be fined $10,000 per incident. At 71,000 people, that would be a fine of $710,000,000. Certainly that would put them out of business. To file a complaint under HIPAA contact: Region IV - AL, FL, GA, KY, MS, NC, SC, TN
Office for Civil Rights
U.S. Department of Health & Human Services
61 Forsyth Street, SW. - Suite 3B70
Atlanta, GA 30323
(404) 562-7886; (404) 331-2867 (TDD)
(404) 562-7881 FAX
By Walter
Apr 11, 2008 11:23 PM | Link to this
This is no surprise. WellCare was rcently raided by 200 federal agents at their headquarters in Tampa, Florida on suspicion of other federal violations. The Office of Civil Rights should come down hard on this for-profit "medicaid" company so they either get their act straight or close down.
By Renee
Apr 9, 2008 10:39 PM | Link to this
Two of my children were exsposed to this really suspicious circumstance,they are both under the age of seven,when I go my letter today,I felt very upset about it,cause about three years ago a disk was lost with the girls info on it as well.The children need to be protected from crimes such as this,does anyone have any advice on how I should go about and protect my girls for this rediculous mistake of the company?
By Tyler
Apr 9, 2008 2:08 PM | Link to this
Didnt this same thing happen before?I think they lost a disc or something with family records on it.There is no privacy because these places really dont seem to care.Seems the poorer people never have the same rights as the upper class.
By Aja Brooks
Apr 9, 2008 1:21 PM | Link to this
This does not surprise me at all! The waiver that I had to sign at the local county health department made my info accessible to third parties. I would not be surprised that it turns into water cooler conversation!
By Truth
Apr 9, 2008 1:06 PM | Link to this
I am very upset because of this! The person who released this very personal information should be fired!!!!! The company should be sued and made to pay for each person that is on PeachCare or Medicaid to change their ss#'s. Most of the people on PeachCare are children and their information need to be protected at all times! When a person signs up for this program they tell you that your information will be secure and not to worry. If I am affected by this I will sue this company! You better believe it!
They also need to serve time in a federal prison for this crap!!!
By Truth
Apr 9, 2008 1:05 PM | Link to this
I am very upset because of this! The person who released this very personal information should be fired!!!!! The company should be sued and made to pay for each person that is on PeachCare or Medicaid to change their ss#'s. Most of the people on PeachCare are children and their information need to be protected at all times! When a person signs up for this program they tell you that your information will be secure and not to worry. If I am affected by this I will sue this company! You better believe it!
By State Employees Data Exposed
Apr 9, 2008 12:31 PM | Link to this
I personally am surprised to see coverage of this information which makes mention of Department of Community Health personal data, but there has been absolutely NOTHING in the news about the fact that within the past three years, there have been THREE different security breaches of an "unauthorized individual" who has "taken state employee data, including social security numbers, and other information" and has done WHO KNOWS WHAT with it.
The most recent one was March 2008!!!
HELLO!! Can you say Class Action Lawsuit!!!!??????
By Jana
Apr 9, 2008 11:38 AM | Link to this
The company should pay for these people to obtain a new ssn. That way it wouldn't matter if someone obtained their old ssn.
By Make them pay
Apr 9, 2008 11:19 AM | Link to this
Data disclosures and loses of unencrypted are a regular occurance with little to no recourse to the affected individuals. First, an offer of 90 days, or in this case a year, of credit monitoring service assumes that nothing could happen after that period of time. The fact is that once your data is disclosed or lost, it is out there FOREVER. Credit monitoring also does not prevent your identy from being stolen. When a company says that they have no information that the disclosed/lost data was used improperly, that means that nobody has PROVEN that any identity theft or improper credit usage has yet been directly attributed to their mishandling of your data. The argument could be made that your problems are not because of their actions but rather a seperate issue not connected to them. The burden is going to be on YOU to prove that their actions resulted in your loss. The people responsible for this disclosure should be FIRED. WellCare of Georgia should be held responsible for any and all losses by these people FOREVER. They would argue that this is unfair but the reality is that because of their actions, the individuals whose data was released, must be extra vigiliant to protect themselves for virtually the rest of their lives. We need legislation that deals with peoples data, that at a minimum requires that it is encrypted at all times so if a data tape or laptop is loist it will be worthless. Breaches such as what happened here should make the company involved be assumed to be the cause and source of any problems down the road with the burden on them to prove that they could not be the source, rather than you have to prove that they are.
[1 2] next
Commenting is open from 8 a.m. to 5 p.m. M-F, except on Tuesday when it's open until 9 p.m.
Post a comment
*HTML not allowed in comments. Your e-mail address is required.
Request a comment be removed