DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

“We take your privacy seriously,” Saturday edition

Posted on October 31, 2020 by Dissent

As part of my research collaboration with Protenus for their Breach Barometer reports, I spend time every week reaching out to entities to ask them for details about incidents if I cannot find any notice on their site or a state attorney general’s site.  Most entities respond with the requested information or a copy of their notification.  Not all do, however. A few ignore requests, and on rare occasions, I may get an entity refusing to answer any questions at all. This month, I actually had two entities refuse to provide information to me. One of them was Piedmont Community College, which I reported on here and will continue to investigate. The other was Tufts Health Plan.

Earlier this month, I noticed that Tufts Health Plan (THP) had reported a breach that impacted 206 Massachusetts residents.

Tufts Health Plan logo

Because they are a HIPAA-covered entity, I reached out to them to ask for information on the incident. I wrote, in relevant part,

I see that Tufts Health Plan reported a breach to Massachusetts on October 2, but I don’t see any notification or substitute notice on the health plan’s web site. Can you point me to the notification’s url or email me a copy of any notification? I have no idea if this was an employee data breach or a PHI breach, or how many people, total, were impacted, and how?

Kathleen Makela of Tufts Health plan replied:

A notification was made to the Massachusetts Attorney General’s Office on October 2, 2020. All required notifications have been provided pursuant to Massachusetts law.

Fearing that she had misunderstood my inquiry, I replied:

I did not accuse Tufts of not making notifications required by law. I asked you for a copy or to point me to a url where it is already publicly available. Can you please provide me with a copy for our research and reporting purposes? Thank you.

Somewhat to my surprise, Makela replied:

We are not required to make a public notice in this instance. Affected members have been notified.

I guess they never heard the old, “If you have nothing to hide…”

Now wondering if THP might have something to hide, I filed under Freedom of Information and requested all reports that Tufts Health Plan had submitted to Massachusetts in 2020. The state provided me with the responsive records today.

Let’s start with the breach I had contacted THP about.  On October 2, their external counsel notified the state that on August 5, a Tufts Health Plan (THP) employee “sent an email containing eligibility data files for members of an employer group to representatives of a vendor that inadvertently included members of other employer groups that were not meant for that vendor.” The error, which was discovered the same day, impacted 206 plan members residing in Massachusetts, including 37 minors. They were offered credit monitoring and mitigation services (credit monitoring offers are required by Massachusetts law for this type of breach). THP’s notification stated that in response to the incident, they retrained the employee.

Human error.  No big deal, right.  But wait, there’s more. Let’s back up:

  • On February 28, their external counsel had notified the state that on January 16, a THP employee “sent an email to an external broker providing online access to THP’s broker portal, which included an authorization form containing the broker’s name and Social Security number.” The email also inadvertently included authorization forms for nine other brokers that were not intended for this broker, which contained those brokers’ names and Social Security numbers. The affected Massachusetts residents were offered credit monitoring services and identity theft restoration services, and the employee was retained. In their notification to those affected, THP assured them that they maintain a Written Information Security Program as required by Massachusetts law.
  • On February 28, their external counsel sent a separate notification to the state explaining that on January 23, an employee “sent a secure email to representatives of a THP full insured employer group that inadvertently included an attachment containing information relating to a different THP employer group with a similar group name.” The attachment included THP member names and Social Security numbers of 53 Massachusetts residents. Once again, there was an offer of credit monitoring and identity theft restoration services. Once again, THP assured the state and those impacted that they maintain a Written Information Security Program as required by Massachusetts law. And once again, an employee was retrained.
  • On August 31, their external counsel notified the state that on June 29, an employee “sent a secure email to representatives of a provider organization in the THP provider network that inadvertently included an attachment containing unrelated claims payment information.” The file included provider names and tax ID/Social Security numbers of 111 Massachusetts residents. Once again, THP offered credit monitoring and identity theft restoration services.  And yes, they reported that they retrained the employee.

Four human error breaches involving email attachments in less than one year by a HIPAA covered entity.  More than 350 Massachusetts residents whose SSN was involved (we do not know the total number of those impacted by each incident — only the number for Massachusetts).

A check of HHS’s public breach tool does not reveal any reports, so it may be less than 500 total for each of these incidents, but the fact that there have been four of them this year and all involving email attachment errors that are not caught before emails go out makes it somewhat difficult to believe that Tuft’s retraining is a sufficient and adequate approach to preventing future problems.

From now on, I will be watching for more breach reports by Tufts Health Plan.  But more than me watching them, perhaps HHS should be looking at THP’s written information security program to see if it is appropriate when it comes to the handling of email attachments.

And as to THP’s lack of public transparency, well, their refusal to provide details on one incident wound up calling attention to four incidents, so I’m not sure how their response to media requests is working out for them.

Category: Breach IncidentsCommentaries and AnalysesExposureHealth DataU.S.

Post navigation

← New Haven Health Department failed to terminate former employee’s access to protected health information
REvil ransomware threat actors reveal their gaming company victim →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.