DEL.ICIO.USInsurance benefit letters sent to wrong addresses by Blue Cross and Blue Shield reveal claim histories, open door to ID theft.
The Atlanta Journal-Constitution
Published on: 07/29/08
Georgia's largest health insurer sent an estimated 202,000 benefits letters containing personal and health information to the wrong addresses last week, in a privacy breach that also raised concerns about potential identity theft.
[Post comments below.]
|
Blue Cross and Blue Shield of Georgia said Monday that the erroneous mailings were primarily Explanation of Benefits (EOB) letters, which include the patient's name and ID number, the name of the medical provider delivering the service, and the amounts charged and owed.
"A small percentage" of letters also contained the patient's Social Security numbers, said Cindy Sanders, a Blue Cross spokeswoman. The EOB forms were mailed to the addresses of other Blue Cross policyholders.
The security breach may be a violation of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protects patients' medical information. The privacy rules were fully implemented in 2003, but few fines have been assessed under the law, experts said.
While the insurer said it was still determining the number of letters involved, state Insurance Commissioner John Oxendine, whose office is investigating the problem, gave a preliminary estimate of 202,000.
That figure does not equal the number of patients affected, though, because some would have received multiple EOBs if they had visited several medical providers, Oxendine said.
"This is very, very serious," Oxendine said. A person with knowledge of medicine or billing, for example, could determine if the patient was treated for cancer, HIV or fertility problems, he said.
Blue Cross said the mix-up was caused by a change in the computer system that was not properly tested.
"As soon as we became aware of the mailing error, we worked to determine the exact cause, and we have made changes to prevent it from happening again in the future," Sanders said.
Blue Cross has 3.1 million Georgia policyholders.
The error occurred statewide and affected both employer and individual health benefit plans. The company has many state employees and schoolteachers as members, as well as large and small corporate customers. Blue Cross declined to identify large employers that it serves.
Blue Cross' parent company, Indianapolis-based WellPoint, "is committed to protecting the privacy and security of all members' health information and is working diligently to mitigate any impact which may result from this operational error," Sanders said.
Oxendine said he ordered the company to provide free credit monitoring for affected patients for one year. Blue Cross also must give written notice to policyholders whose names were on the EOBs and compile a list of names of those who erroneously received the forms.
Blue Cross is in the process of removing all Social Security numbers from such future mailings, Sanders said.
Rhonda Bloschock, a registered nurse in Atlanta, said Monday that she discovered EOB forms from nine other patients in a large envelope she received Friday from Blue Cross.
"This is a serious privacy breach," Bloschock said. Nurses and other hospital staff "jump through all sorts of hoops protecting people's privacy," she said.
Since the passage of HIPAA, health insurers, hospitals, doctors and other medical providers have increased their efforts at protecting the privacy of medical records. And consumers have become more attuned to privacy issues, said Anne Adams, chief privacy officer for Emory Healthcare.
"There is an expectation that their personal information is protected and not used inappropriately," Adams said.
But with the movement toward keeping health records electronically, there's more potential for breaches to happen, Adams said.
Joy Pritts, director of Georgetown University's Center on Medical Record Rights and Privacy, said the push for electronic medical records "should proceed hand in hand with additional privacy and security protections."
WHAT TO DO?
Policyholders who received an incorrect EOB should contact Blue Cross's dedicated toll-free number at 866-800-8776 between 7 a.m. and 9 p.m. Monday through Friday. Members who may have received an EOB of another individual should return it to Blue Cross. The company will provide a postage-paid envelope.
Vote for this story!
More on ajc.com
- Private medical data exposed (07/29/2008)
- Mayor: East Point's old pipes likely caused hydrant failure (09/09/2008)
- State to check hydrant system (09/09/2008)
- Health benefits to cost workers (08/15/2008)
- Cost of health benefits going up for state workers (08/14/2008)
- State defends decision to cut out Blue Cross (07/26/2008)
- Steps to prevent medical ID theft (07/25/2008)
- Breast cancer treatment uneven racially in Ga., study says (06/02/2008)
- BREAST CANCER PATIENTS: Quality of care uneven racially (06/02/2008)
- A not-so-protective law (05/27/2008)
Inside AJC.COM
Atlanta's best shoe store
Is it therapy to buy a pair of shoes? Discuss ... or nominate your favorite place to find those shoes!
More meat, please
McDonald's has unveiled a line of bigger burgers that will satisfy large appetites and scare cardiologists.
BET Awards
Photos: Janet Jackson, Monica, Maxwell, Jamie Foxx, New Edition, Keri Hilson, Ciara and more!
Private Quarters Splurge
Husband and wife architects created a modern house that's still warm and inviting.
She lost 60 pounds!
"My confidence is through the roof ... I can do anything," says Sonya Moste of Fayetteville.
Ultimate Braves fans
Francoeur's Franks? Shef's Chefs? Just some of the passionate fans who have cheered the team.
Search
Do Good Locally » Find nonprofit causes near you
Services » Find the right people for the job
We want to know what you think
Customer Care »
Vacation stops, manage subscriptions and more
AJC Services
News Sections
Other Editions
Guides
Visitor Agreement | Privacy Statement
© 2009 The Atlanta Journal-Constitution
Comments
By Mike Buglioli
Aug 19, 2008 1:40 PM | Link to this
This just underscores the outsourcing that Wellpoint did so much of in IT that is now coming home to roost as we say on the South. All the execs who wanted those stock options and big payouts are long gone and oh yeah, John Oxendine approved the original merger. He must have forgotten.
By Mike Buglioli
Aug 19, 2008 1:39 PM | Link to this
This just underscores the outsourcing that Wellpoint did so much of in IT that is now coming "home to roost" as we say on the South. All the execs who wanted those stock options and big payouts are long gone and oh yeah, John Oxendine approved the original merger. He must have forgotten.
By Mike Buglioli
Aug 19, 2008 1:35 PM | Link to this
This just underscores the outsourcing that Wellpoint did so much of in IT that is now coming "home to roost" as we say on the South. All the execs who wanted those stock options and big payouts are long gone and oh yeah, John Oxendine approved the original merger. He must have forgotten.
By Mark Cochran
Jul 30, 2008 2:41 PM | Link to this
"Joy Pritts, director of Georgetown University's Center on Medical Record Rights and Privacy, said the push for electronic medical records should proceed hand in hand with additional privacy and security protections."
This is the direction healthcare and medical companies are migrating to. Look to Biscom to protect yourself from these breaches with secure file transfer to internal and external users to meet compliance regulations.
Mark Cochran
Biscom
978-367-3527
By c
Jul 30, 2008 12:18 PM | Link to this
Just goes to show that If you don't have a personal ID Theft plan in place, you are living at risk, at the mercy of all the careless or disgruntled employees of all the companies and agencies who have collected your data over the years.
It's sorta like anti-virus software or wearing a condom.... knowing the consequences, who would go unprotected?
Make sure your ID Theft plan includes legal support and profesional restoration along with credit monitoring. The best is the Kroll/PPL Identity Theft Shield (www dot fightIDT dot com)
By Mel
Jul 30, 2008 10:55 AM | Link to this
The same agency that we look to help keep insurers on their toes against this sort of thing is the one constantly getting its budget cut by state lawmakers who either work in the insurance industry or are taking gobs of campaign cash from it.
By Healthy
Jul 30, 2008 4:30 AM | Link to this
The article states that the Insurance Commissioners office demands "Blue Cross... also must give written notice to policyholders whose names were on the EOBs and compile a list of names of those who erroneously received the forms." If the wronged patient receives these names, what are they do to with the names? Unless a name is highly unique, what good does having the name do? Many people have the same name. Unless the wronged patient also has the criminal history of the person who erroneously received the information, a name doesn't tell them anything. As for having the name of the medical provider who supplied the services, this provides an easy way for folks to determine what type of care the wronged patient received. Free credit monitoring for one year is inappropriate. As the information is out there forever, credit monitoring should be provided forever, at the expense of BCBS. What is BCBS going to do to compensate the wronged patients? Oh nothing. I forgot. The Insurance Commissioner is married to a Blue Cross Blue Shield employee. Why would he want to charge fines to the organization which provides a percentage of his own household income? It could reduce his own future household income.
By M
Jul 29, 2008 5:11 PM | Link to this
For the past several years I have been in the position of verifying the work done by programmers and, let me tell you, there are a LOT of bad ones out there. The ones who would argue with me when it was clear they had made mistakes, the ones would go around me and complain to my boss about me, the ones who would lie about their tests - I was their worst nightmare. I have fixed screw-ups like this and I have stopped screw-ups like this and it is my belief that not only should the programmers involved be fired, their management should be fired also. There is no excuse for this.
By al
Jul 29, 2008 5:07 PM | Link to this
thousands of dollars we spend per year on this so called "health care"? please...
no incumbents in 2008!
By TIMEFORCHANGE
Jul 29, 2008 5:04 PM | Link to this
Insurance companies are like the government. To big and nobody wants to work. Nobody cares about the job they are doing as long as they get paid and it benefits THEM. Just like the Government, way to big, to much money to spend and not a single brain in the bunch that cares a hoot about the American People, but only making sure that ILLEGALS have all the benefits that the truely needy American people do not have.
Big is not good, Insurance is the number 2 next to government. They both work the same and its all a vilation of privacy and control. Needs to change in a big way.
[1 2 3 4 5] next
Commenting is open from 8 a.m. to 5 p.m. M-F, except on Tuesday when it's open until 9 p.m.
Post a comment
*HTML not allowed in comments. Your e-mail address is required.
Request a comment be removed