Blue Cross and Blue Shield of Rhode Island Privacy Breach Caused by External Mailing Vendor

by | Sep 27, 2018

Blue Cross and Blue Shield of Rhode Island (BCBSRI) is contacting 1,567 plan subscribers that a portion of their protected health information has been impermissibly made accessible by one of its business partners.

A BCBSRI vendor was hired to issue explanation of benefits statements to plan subscribers which contain summaries of the healthcare services subscribers have been allocated under their health plan.

However, a mistake was made which lead in statements being sent to the wrong individuals. The explanation of benefits statements included subscribers’ BCBSRI ID number, their service supplier(s), the service(s) provided, and the expense of the claims.

The impermissible disclosure of PHI was blamed on an error made by the vendor when partnering the explanation of benefits statements for certain people who are covered under the same policy. Combining the statements was aimed at reducing the number of summaries received by some subscribers.

The mistake lead to some explanation of benefits statements being incorrectly partnered in the mid-July mailings, which lead to the summaries being sent to wrong family subscribers or other people in the household that were covered by the same policy.

Upon discovery of the mistake, BCBSRI advised the vendor to stop partnering the statements and individual summaries will still be sent to members while BCBSRI looks for a different solution.

BCBSRI released a statement in relation to the incident confirming that the mistake only resulted in the disclosure of PHI to family subscribers or other individuals in the same household covered by the policy, not to any other members.

Since members’ Social Security details and dates of birth are not included in the summaries, and only family subscribers received the summaries, the danger of any data being misused is believed to be minimal.

All people who have been affected by the incident will be alerted about the privacy breach by mail in the next few days.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy