The entities affected by the hack of Onsite Health Diagnostics continue to dribble out. In today’s installment, we learn that the State of Tennessee‘s State Insurance Plan, Local Government Insurance Plan, and Local Education Insurance Plan members were affected by the hack of the state’s wellness vendor’s subcontractor.
The incident was added to HHS’s breach tool this past week.
PHIprivacy.net was able to obtain a cached copy of a notice that appeared on Tennessee’s web site:
OHD Security Incident Information
Onsite Health Diagnostics (OHD) is the subcontractor of the state’s wellness vendor, Healthways, which offers biometric screenings to our members. Healthways notified Benefits Administration that an unknown source gained unauthorized access to Onsite Health Diagnostic’s 2013 computer system during the time period from January 4, 2014, to April 11, 2014. The information that might have been accessed is: the name, address, email address, phone number, date of birth, and gender of 60,582 individuals who requested a physician screening form for their 2013 partnership promise.
The information which was accessed did NOT include members’ social security numbers, employee IDs or any medical or financial information. OHD has received no reports of identity theft related to this incident.
While this information did not contain any diagnosis or medical information, the state has determined that, because it is related to our members’ health benefits, the disclosure of name, address, email address, phone number and gender does fall under the HIPAA definition of a breach of protected health information. The state has notified the Secretary of HHS of a Breach of Unsecured PHI.
For more information contact the State’s Benefits Administration Privacy Officer at [email protected].