June turned out to be a busy month for breach reports involving health/medical data. My worksheet has more than 50 entries and I’m still adding reports as I find them.
Today, I found one from Providence Health Plan in Oregon that I thought I’d mention here as it impacted almost 50,000 plan members, and I don’t recall seeing any coverage of this one.
According to a notice I found, on April 17, a business associate, Zipari, notified them that due to a coding error, enrollment documents for employer-sponsored plans in the small group market had been exposed online without encryption. On April 9, 2020, Zipari had determined that “certain Providence Health Plan enrollment documents had been accessed by unauthorized IP addresses in May, September, and November of 2019.”
The accidentally exposed information included employer names, member names, and member dates of birth. It did not include any medical history, health information, SSN, or financial information.
In response to the incident, Zipari encrypted the documents, remediated its coding error and took additional steps to improve its security. For its part, Providence Health Plan is arranging a third-party audit of Zipari’s data security practices and has offered those affected credit monitoring services.
The incident was reported to HHS on June 16 by the health plan as impacting 49,511 members.