Private medical data exposed
Insurance benefit letters sent to wrong addresses by Blue Cross and Blue Shield reveal claim histories, open door to ID theft.
The Atlanta Journal-Constitution reported today that Georgia's largest health insurer sent an estimated 202,000 benefits letters containing personal and health information to the wrong addresses last week, in a privacy breach that also raised concerns about potential identity theft.
Blue Cross and Blue Shield of Georgia said Monday that the erroneous mailings were primarily Explanation of Benefits (EOB) letters, which include the patient's name and ID number, the name of the medical provider delivering the service, and the amounts charged and owed.
"A small percentage" of letters also contained the patient's Social Security numbers, said Cindy Sanders, a Blue Cross spokeswoman. The EOB forms were mailed to the addresses of other Blue Cross policyholders.
The security breach may be a violation of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), which protects patients' medical information. The privacy rules were fully implemented in 2003, but few fines have been assessed under the law, experts said.
While the insurer said it was still determining the number of letters involved, state Insurance Commissioner John Oxendine, whose office is investigating the problem, gave a preliminary estimate of 202,000.
"This is very, very serious," Oxendine said. A person with knowledge of medicine or billing, for example, could determine if the patient was treated for cancer, HIV or fertility problems, he said.
Blue Cross' parent company, Indianapolis-based WellPoint, "is committed to protecting the privacy and security of all members' health information and is working diligently to mitigate any impact which may result from this operational error," Sanders said.
Oxendine said he ordered the company to provide free credit monitoring for affected patients for one year. Blue Cross also must give written notice to policyholders whose names were on the EOBs and compile a list of names of those who erroneously received the forms.
Blue Cross is in the process of removing all Social Security numbers from such future mailings, Sanders said.
Rhonda Bloschock, a registered nurse in Atlanta, said Monday that she discovered EOB forms from nine other patients in a large envelope she received Friday from Blue Cross.
"This is a serious privacy breach," Bloschock said. Nurses and other hospital staff "jump through all sorts of hoops protecting people's privacy," she said.
WHAT TO DO?
Policyholders who received an incorrect EOB should contact Blue Cross's dedicated toll-free number at 866-800-8776 between 7 a.m. and 9 p.m. Monday through Friday. Members who may have received an EOB of another individual should return it to Blue Cross. The company will provide a postage-paid envelope.