FirstCare Health Plans, a Texan health insurance organisation, has revealed that more than 8,000 of its members may have had some of their personal data breached due to an email error made by one of its staff.
The organisation is in the process of notifying 8,056 plan members plan members that may have had some of their sensitive personal information impermissibly disclosed to an unauthorised individual as a result of automated reports being accidentally emailed to the wrong person. The reports contained medical requests which included members’ names, member ID numbers, procedure codes, descriptions of treatments, authorization numbers, and names of treating providers. FirstCare Health Plans said that neither Social Security numbers nor financial information were accidentally disclosed during the breach. The email had not been encrypted.
The reports, which are compiled on a daily basis, were automatically generated and sent to an email distribution list. On August 15, 2018, the FirstCare IT security team became aware that the reports had been sent to an external email address in error. This, compounded with the fact that the emails were unencrypted, constituted a significant data breach.
An investigation was launched into the incident, and it was revealed the reports had been sent over a period of 17 months before the error was noticed, starting on March 22, 2017. The reports contained the protected health information (PHI) of 8,056 plan members.
In accordance with HIPAA’s Breach Notification Rule, breach notifications must be sent to all of the patients who were identified as being affected by the breach. Due to the size of the breach, FirstCare posted a breach notice on its website, in which it explained the various security solutions had been deployed to monitor for unauthorized access, acquisition, and unauthorized use of ePHI, but they had failed to identify the misdirected emails.
Upon discovery of the error, the incorrect recipient was removed from the distribution list. The organisation launched a full review of its email system, and an audit was conducted of all other automated reports to ensure similar errors had not been made.
In response to the data breach, FirstCare has now developed a new protocol to ensure the recipients of active reports are regularly monitored and new auditing parameters have been implemented related to change controls in order to prevent another incident of a similar nature from occurring in the future.
FirstCare has taken several steps to contact the user of the email account to which the emails had accidentally been sent in order to assess the integrity of the ePHI and secure it if necessary. Emails were sent to the account in an attempt to get the user to make contact, but no response was received. FirstCare also engaged the U.S Federal Government to investigate and help identify the owner of the email account to minimize the potential for harm.
“We have not received any indication that the information has been accessed or used by an unauthorized individual,” explained FirstCare in its substitute breach notice. Since it is not possible to confirm whether there has been an impermissible disclosure of ePHI, FirstCare is offering to reimburse all affected patients for one year of credit monitoring services through LifeLock.