It seems Contra Costa Health Plan discovered that a contractor that they had hired and who had access to EHR beginning on December 1, 2014 had used a falsified identity to get the contractor position. The position involved access to EHR as part of the contractor’s functions relating to utilization management.
In a letter to those affected, Frank Lee, J.D., Director of Compliance and Government Relations, writes that CCHP has no indication that the contractor misused the information that she accessed, but under the circumstances, they are notifying everyone whose records she might have accessed. The number of patients is not indicated in CCHP’s sample notification letter, which is reproduced below. The incident is not yet up on HHS’s breach tool, although I imagine we will see it there eventually.