According to a report provided to the Maryland Attorney General’s Office, an employee mistakenly transmitted an encrypted Excel file with enrollment data for Reed Smith to the another group customer.
The file containing names, addresses, dates of birth, identification numbers (which are the individuals’ Social Security numbers), type of insurance contract, effective date, and group billing information was mistakenly transmitted on September 17th. The company receiving the information immediately realized the error and contacted Highmark.
Two Maryland residents were notified of the error, but the total number of individuals notified was not provided in the October 6th notification to the state.
Although there are many people who would not consider an incident a breach if the data are encrypted, it is not clear from the report whether the same encryption key is used for all customers. The fact that Highmark reports that it asked the customer to delete any paper copies of the mis-sent file suggests that they would have been able to open another customer’s file.