Blue Cross and Blue Shield of Rhode Island (BCBSRI) is contacting 1,567 plan subscribers that a portion of their protected health information has been impermissibly made accessible by one of its business partners.
A BCBSRI vendor was hired to issue explanation of benefits statements to plan subscribers which contain summaries of the healthcare services subscribers have been allocated under their health plan.
However, a mistake was made which lead in statements being sent to the wrong individuals. The explanation of benefits statements included subscribers’ BCBSRI ID number, their service supplier(s), the service(s) provided, and the expense of the claims.
The impermissible disclosure of PHI was blamed on an error made by the vendor when partnering the explanation of benefits statements for certain people who are covered under the same policy. Combining the statements was aimed at reducing the number of summaries received by some subscribers.
The mistake lead to some explanation of benefits statements being incorrectly partnered in the mid-July mailings, which lead to the summaries being sent to wrong family subscribers or other people in the household that were covered by the same policy.
Upon discovery of the mistake, BCBSRI advised the vendor to stop partnering the statements and individual summaries will still be sent to members while BCBSRI looks for a different solution.
BCBSRI released a statement in relation to the incident confirming that the mistake only resulted in the disclosure of PHI to family subscribers or other individuals in the same household covered by the policy, not to any other members.
Since members’ Social Security details and dates of birth are not included in the summaries, and only family subscribers received the summaries, the danger of any data being misused is believed to be minimal.
All people who have been affected by the incident will be alerted about the privacy breach by mail in the next few days.