As part of following up on a breach involving the insecure disposal of health insurance applications (reported previously on this blog), I wanted to learn more about how insurance carriers respond to this type of breach. So I emailed questions to Aetna and Blue Cross Blue Shield of Florida asking whether their contracts with the agent required the agent to use secure disposal of records and whether the carriers would be notifying the individuals whose records had been recovered. I probably should have thought to ask who was actually responsible for retrieving all of the records with sensitive information that were now in the hands of a private investigator.
The email statement I received from Aetna thanked me for initially bringing the breach to their attention and indicated that after I contacted them, they had promptly contacted the investigator, William Cobra Staubs and retrieved all records he held concerning Aetna applicants. The statement continued:
We’ve completed the review of the documents. The insurance agent’s files included 13 people who had Social Security numbers on Aetna applications for a small business customer. We are notifying each of them and will offer free credit monitoring. We have no current business with this agent.
In answer to my question concerning whether agencies are associates under HIPAA and what their responsibilities are with respect to data protection and disposal, the spokesperson wrote:
Under HIPAA, producers aren’t covered entities. They are considered business associates when performing functions on our behalf. Either way, Aetna has agreements in place with all producers (general agents, brokers) that contain protective privacy and security requirements regarding the disclosure and safeguarding of PHI and notification of any possible breaches.
The company declined to say whether the insurance agency had violated any contractual agreements, saying
We don’t have all the facts about how the documents were discarded, so we can’t make that determination at this time.
It appears that Aetna followed up promptly and appropriately on a reported breach to protect those who applied for their coverage. But what about the other insurance carriers whose applications were found in the dumpster? Has Blue Cross Blue Shield of Florida recovered their applications (they reportedly had the most records involved in the incident)? Has Cigna? Do some of these carriers even know about the breach?
In mid-January, Staubs informed this site that he was still in possession of all of the Blue Cross Blue Shield applications – two weeks after the breach. On January 19, I wrote to Blue Cross Blue Shield of Florida to ask if they had recovered the files and if not, why not. They did not respond to that inquiry.
So how long is “too long” for an insurance carrier to retrieve records? Or am I looking in the wrong direction and I should be asking how long is too long for the agency have retrieved them?
Are completed insurance applications still in the hands of an uninvolved third party? If so, who is responsible for that?
And has anyone reported this breach to HHS? I wonder…