A press release issued by Blue Cross Blue Shield of Florida, seen on SacBee:
In late January 2011, Blue Cross and Blue Shield of Florida (BCBSF) discovered that, because of a system error, it had inadvertently mailed some member health information to incorrect addresses. BCBSF regrets that this error occurred. BCBSF fixed the issue the same day it was discovered and current addresses are now in place for all of these members. BCBSF has evaluated its systems and made the appropriate changes to prevent this error from reoccurring.
The company recently converted to a new source of customer mailing address information. This new system tracks both prior and current member mailing addresses. During the system conversion, a limited number of old customer mailing addresses were inadvertently identified as the current addresses. Fewer than 7,400 members (out of nearly 4 million members) were impacted when their information was mailed to a former mailing address during the three month period since the system conversion. The mail sent to the former addresses included explanation of benefit forms. No social security numbers, date of birth or other financial information were included on the information sent to the incorrect addresses.
BCBSF has taken the appropriate steps to rectify this situation and has contacted the affected members. Members who think they may have been affected by this incident and who have not received any notification from the company should call this dedicated customer service number: 1-877-526-1013.
[…]
Okay, BCBSFL is certainly not the first insurer to report a mailing gaffe, and I understand why they issued the press release as this is a reportable breach under HITECH. Somewhat surprisingly, though, I do not see any notice prominently linked from their home page. Although such notice is not required if other methods of notification are used, it’s becoming pretty common for entities to post the breach notice on their web site with a prominent link to it on the home page.
Blue Cross Blue Shield of Florida was recently mentioned in another breach involving improper disposal of records. In that breach, which involved less than 500 applicants, BCBSFL did not issue any press release. Indeed, they didn’t even respond to my inquiry about whether they were in possession of the applications or if the discarded applications were still in the hands of the individual who had found them in a dumpster. If anyone has any additional details on that one, please post them or email me.
[headline corrected to reflect mis-mailing to wrong addresses]