19,570 Missouri Care Members’ PHI Exposed in Mailing Error

A mailing mistake that was sent to Missouri Care subscribers reminding them to reserve well-child visits has resulted in the accidental disclosure of the personal data of approximately 20,000 children to other Missouri Care subscribers.

The personal information included in the letters was restricted to children’s names, ages, and the names of their supplier’s. Health information and other sensitive data was not accessed, so the possibility the information to be misused is minimal. However, as a precautionary measure, parents and legal guardians of impacted children have been warned to closely review their credit card bills and account statements for any unusuals activity and told not to reply to any email requests asking for further personal information. Free credit monitoring services have been offered to all people impacted by the breach.

WellCare Health Plans Inc., identified the error on July 25, 2018 and initiated an investigation to deduce how the error happened and the clients that were affected. The mailing had been broadcast to 19,570 individuals, although it is unclear how many of those letters were incorrectly labelled.

The personal information that was exposed is classified as protected health information under HIPAA, and as such, the exposure of the data requires notifications to be issued to all affected people. Since the incident involved over 500 people, a media notice about the breach was also an obligation and was sent to the Kansas City Star.

In the letter which was sent, WellCare Health Plans VP and chief security and privacy officer stated “Missouri Care is deeply committed to protecting our members’ privacy, and we apologize for any inconvenience this incident may have caused.”

WellCare Health Plans Inc., said policies and processes for mailings have been audited and updated to stop similar incidents from occurring going forward.

This is the second incorrect mailing incident to impact Missouri Care members in the past 12 months. A similar mis-mailing incident occurred in August 2017, which led to the accidental disclosure of the PHI of 1,223 plan subscribers. In that instance, the error was made by a subcontractor hired for the mailing.