Group Health Incorporated (GHI), an Emblem Health company, is notifying members of a breach due to exposure of PHI on mailing labels. The mailing error occurred between October 3 and October 14, and was discovered on October 13.
They explain:
Earlier this month, GHI mailed you a copy of your Medicare Prescription Drug Plan Evidence of Coverage (a document that describes the health care benefits covered by your plan and how your plan works).
On October 13, 2016, we learned of an unintentional disclosure of your Health Insurance Claim Number (HICN) as a result of this mailing.
Our investigation found that, while preparing the Evidence of Coverage documents for mailing, HICNs were inadvertently included in the electronic file sent to EmblemHealth’s vendor and were then disclosed on the external mailing label that was affixed to the package.
What Information Was Involved
GHI is required to assign each member a “mailing identifier” number, which is randomly selected and contains no member information. This mailing identifier helps us keep track of the mailings we send to you. In this instance, the “mailing identifier” that GHI intended to use was mistakenly replaced with your HICN, which mirrors your Social Security number. As a result, your proper name and address appeared on the external mailing label of the evidence of coverage documents, along with the nine digits of your Social Security number that were listed as the package number (PKG#) located above the barcode. At no time were these nine digits identified as your Social Security number and no health information or financial information about you was disclosed.
What We Are Doing
Protecting your personal information is a responsibility we take very seriously, and we are taking action to reduce the likelihood of this happening again. We sincerely apologize for this incident and want you to know that we have taken comprehensive steps to provide a set of support services to ensure your personal protection. We have arranged to have AllClear ID protect your identity for 24 months at no cost to you, including a dedicated helpline for any questions you may have, free credit monitoring for you, and up to $1 million of identity theft insurance coverage.
You can read the full notification on Emblem Health’s site. The number of members being notified was not disclosed, and the incident is not yet up on HHS’s breach tool.