Dan Shortridge reports:
A printing error disclosed the private medical information of about 3,700 Blue Cross Blue Shield members in Delaware to other insurance company subscribers.
People who were affected by the problem should have received letters today notifying them of the accidental disclosure.
[…]
The problem centers around explanation of benefits forms that were sent to subscribers last week. On one side of the form is the member’s correct name; on the other side is the name of another member and information about their medical treatment.
Read more on DelawareOnline
What will Blue Cross Blue Shield do after that notification? Will that be all? I just hope that doesn’t happen BCBS members in California.
Good question. If there are no SSN or anything that could be used for financial fraud, then what would you want BCBS to do? Could the data be used for medical ID theft? Possibly, but since the recipients are already insured, I’m not sure why they would misuse the data for that purpose.
So here we have a real privacy breach…. with some personal info and some medical info disclosed. And it sounds like each person’s data was sent to one other person. I’m sure BCBS will review their security procedures, and maybe implement some more spot checks, but what do you think they should do?
Unfortunately, several of the Blue Cross/Blue Shield groups have had breaches in the last few years. They need to create a strong written policy and make sure it is followed nationwide- franchises included!
So here we have a real privacy breach…. with some personal info and some medical info disclosed. And it sounds like each person’s data was sent to one other person. I’m sure BCBS will review their security procedures, and maybe implement some more spot checks, but what do you think they should do?
Do proactively for the future or to assist those whose privacy was breached? There’s not too much they can do other than apologize profusely, offer to provide ID theft monitoring (because medical ID theft is a risk, however unlikely), or offer to credit them for two months’ insurance premiums as a way of apologizing. I’ve never seen any insurance company do that (“We’ll waive your premiums”), but it might be a good PR move.
The theory behind confidentiality provisions in health privacy laws is, in practical reality, as futile as the provisions in traffic laws which require drivers to obey speed limits. Most drivers either obey the law or aren’t caught speeding; but the damage and consequences of the driver who speeds and kills innocent victims on the roadway is no less significant to those affected than the impact suffered by the victims whose information has been compromised — especially when they become unwitting victims of medical identity theft.
Futile or not, I do think it’s important to codify confidentiality and privacy protections. If nothing else, it allows states to strip offenders of licenses to practice or do business. And that might be the biggest “stick” — if they were to ever impose it — to strip businesses of their ability to do business in a state if they have such sloppy security or inadequate protection. Not talking specifically about this case, but in general.