DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Macomb County, Michigan notifies employees and dependents of business associate breach

Posted on October 9, 2014 by Dissent

Update: After this entry was posted, PHIprivacy.net received additional information indicating that there were actually two Macomb County Business Associates involved in the provision of the file to the County. “One of these two Business Associates is U.S. Health Holdings’ subsidiary Automated Benefit Services,”  a spokesperson for the county’s communications firm tells PHIprivacy.net. “The breach did not occur at or by Automated Benefit Services, but the breach was reported to HHS by U.S. Health Holdings Ltd on behalf of Covered Entity Macomb County. The other Business Associate is not a U.S. Health Holdings Ltd. subsidiary or client of ours,” the spokesperson writes.

A new entry on HHS’s public breach tool involves an incident reported by U.S. Health Holdings, Ltd. on behalf of Macomb County, Michigan. The breach is coded on the tool as involving “Unauthorized Access/Disclosure.”

On October 1, Macomb County issued a press release about the incident that was sent to various news outlets serving Macomb County, Michigan: the Macomb County Daily, the Detroit News, and the Detroit Free Press. It was also issued to NBC affiliate WDIV. A copy of the release was sent to PHIprivacy.net by the county’s communications firm, Lewis Brisbois Bisgaard & Smith LLP:

Although there is no indication of any actual or attempted misuse of personal information or protected health information belonging to participants in the Macomb County Medical, Dental, and Vision Plans (the “Plans”), Macomb County, Michigan (the “County”) will be notifying employees, as well as their dependents and spouses, who have the potential to be affected by the inadvertent posting of certain information on the Michigan Inter- Governmental Trade Network (“MITN”) website.

The inadvertent posting occurred in conjunction with the County soliciting bids from potential Plan service vendors. As part of the competitive bid process, the County received a file inadvertently containing personal information from one of its vendors. The file was then posted to the registered user-only restricted access portion of MITN from July 3, 2014 to July 31, 2014 so that potential bidders were able to review the information and submit bids to the County. Thereafter and until the situation was discovered on September 10, 2014, the information was accessible to MITN users by way of a link from the MITN homepage. The file posted to MITN contained participant names, dates of birth, social security numbers, zip codes, cities, and Plan carrier names. This file did not include any treatment, diagnosis or treating physician information, or Plan identification numbers. Once discovered, the information was immediately removed from MITN. A thorough investigation into this matter has been performed and changes have been made to the County’s competitive bidding process to prevent this from occurring again in the future.

On September 30, 2014, letters were mailed to those participants identified as being potentially affected by the incident, and to the parents/guardians of participants’ potentially affected dependents. Notice of this incident was also provided to the U.S. Department of Health and Human Services and to the national consumer reporting agencies on October 1, 2014.

Although there is no report of any attempted or actual misuse of participant information, those identified as being potentially affected are also receiving access to one year of free identity and credit monitoring and restoration services, along with access to a confidential assistance line and to an identity theft protection specialist.

To further protect against identity theft or other financial loss, individuals are encouraged to remain vigilant, review account statements and monitor credit reports for suspicious activity. Under U.S. law, individuals are entitled to one free credit report annually from each of the national consumer reporting agencies. Free credit reports can be ordered at www.annualcreditreport.com or by calling 1-877-322-8228. The national consumer reporting agencies can also be contacted directly to request a free credit report.

Individuals are also encouraged to review Explanation of Benefits statements received from insurers for suspicious activity. If an individual does not receive regular Explanation of Benefits statements, he or she can contact his or her insurer to request copies. Individuals may want to order copies of credit reports to check for any unrecognized medical bills. If an individual finds anything suspicious, he or she may call the credit reporting agency at the phone number on the report.

At no charge, an individual can have the national consumer reporting agencies place a “fraud alert” on the individual’s file that alerts creditors to take additional steps to verify the individual’s identity prior to granting credit in the individual’s name. As soon as one national consumer reporting agency confirms the fraud alert, the others are notified to place fraud alerts on the individual’s file. Because a fraud alert tells creditors to follow certain procedures to protect the individual against identity theft or fraud, it may also delay the individual’s ability to obtain credit while the agency verifies the individual’s identity. The contact information for the national consumer reporting agencies is: Equifax P.O. Box 105069, Atlanta, GA 30348-5069, 800-525-6285, www.equifax.com; Experian P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion P.O. Box 2000, Chester, PA 19022, 800-680-7289, www.transunion.com.

Individuals can also further educate themselves regarding identity theft, and the steps that can be taken to protect themselves, by contacting their state Attorney General or the Federal Trade Commission. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653- 4261. Instances of known or suspected identity theft should be reported to law enforcement, your Attorney General, and the FTC. Known or suspected incidents of identity theft or fraud should be reported to law enforcement.

Anyone with any additional questions may contact the confidential assistance line, available at 1- 877-313-1395 between 8:00 a.m. and 8:00 p.m., Central Standard Time, Monday through Saturday.

That’s a fairly comprehensive notification and really gives those potentially affected the information and tools they need to protect themselves and their dependents.

According to the notification to HHS, 6,302 employees and dependents were notified of the breach.

No related posts.

Category: Health Data

Post navigation

← Ignoring leak reports and inquiries is just asking for trouble
G.H. Bass & Co announces credit card data breach at Orlando store →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked
  • Hunters International to provide free decryptors for all victims as they shut down (2)
  • SEC and SolarWinds Seek Settlement in Securities Fraud Case

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t
  • Oregon Amends Its Comprehensive Privacy Statute

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.