Understanding your rights under HIPAA
A contractor that administers Missouri Medicaid plans says it accidentally exposed the personal health information of 19,570 children.
A vice president for WellCare Health Plans Inc. said in a letter to The Star that the company learned on July 25 that a “mailing error” caused reminders about well-child visits for the company’s Missouri Care members to be sent to the wrong addresses.
“The letters contained personally identifiable health information including (the) child’s name, age and provider name,” said the letter from Ted Webster, WellCare’s VP and chief security and privacy officer.
Webster’s letter, which he said he was required to send by law, was postmarked Aug. 23.
It says there is no evidence suggesting the exposed information was misused, but WellCare is nonetheless offering members one year of free credit monitoring from Experian.
The letter also advises Missouri Care members to keep an eye on credit card bills, monitor bank accounts for unauthorized activity and not answer “emails asking for personal details or other information.”
“As we continue to investigate the scope of the incident, we are taking steps to prevent something like this from happening again,” Webster’s letter says. “Missouri Care is deeply committed to protecting our members’ privacy, and we apologize for any inconvenience this incident may have caused.”
Julie Roth, a lawyer with Spencer Fane in Overland Park and an expert on medical privacy laws, said the information WellCare exposed doesn’t sound too sensitive in comparison to some other breaches, but it could still be a violation of the Health Insurance Portability and Accountability Act, or HIPAA.
“This isn’t a situation where diagnoses were disclosed or account information, or full clinical reports (were disclosed),” Roth said. “So it’s more limited in nature, but I agree, personally, with their decision to notify individuals.”
Roth said health care organizations do a risk assessment after identifying potential data breaches to determine whether they should self-report them. WellCare notified the media because of the size of the breach, she said.
“You always notify the individuals (affected),” Roth said. “In cases where more than 500 individuals are involved in a jurisdiction, then you also notify the media at the same time.”
Missouri Care plans cover about 275,000 people throughout the state and focus mainly on children and pregnant women.
It’s the second straight year that a mailing error has exposed the data of Missouri Care members. Last August the company reported a similar breach of 1,223 members’ information that the company blamed on a subcontractor, O’Neil Printing. No health information was exposed in that breach, but names, dates of birth and Medicaid account numbers were.
WellCare also offered one year of free credit monitoring after that incident.
“Often that’s about the only thing that you can do,” Roth said. “Clearly in cases where there’s been Social Security Numbers disclosed or financial account numbers disclosed the credit monitoring is, in my opinion, always appropriate. But even here, with the child’s name, age and provider, it looked to me like they were offering credit monitoring to essentially mitigate any harmful effect that might occur.”
Missouri’s Medicaid program, MO HealthNet, also informed more than 25,000 members in 2013 that their personal information, including full Social Security numbers in some cases, was mailed to incorrect addresses by another contractor, InfoCrossing Inc. A “software programming error” was blamed for that breach.