Florida-based CarePlus Health Plans has experienced a PHI breach incident which has seen certain plan members’ protected health information disclosed, in error, to other plan subscribers.
A mailing including ‘Explanation of benefits statements (EOB)’ was sent to plan members between January 9 and January 16, 2018, although on January 17, Miami-based CarePlus discovered that a number of the statements had been sent to the wrong people.
The EoB statements listed names, addresses, dates of service, providers of services, the services that had been given, CarePlus identification numbers and CarePlus health plan titles. Highly sensitive data such as Social Security numbers and financial details were not listed on the EoB statements. CarePlus has not been in receipt any reports to suggest any of the disclosed information has been improperly used.
The incorrect mailing incident has been looked into by CarePlus and action has been taken to avoid any similar privacy incidents from being incurred going forward. CarePlus says the incorrect mailing incident was due to a number of programming and printing errors. Breach notification letters are now being broadcast to all people impacted by the breach to make them aware of the accidental sharing of their private health information.
The incorrect mailing incident has not been posted on the Department of Health and Human Services’ Office for Civil Rights (OCR) data breach portal, although WFLA has remarked that incident could have exposed almost 11,200 plan members.
This is the second incorrect mailing incident experienced by CarePlus Health Plans in the past three years. In September 2015, CarePlus revealed more than 1,400 of its plan subscribers had been exposed in an incorrect mailing incident that included two EoB statements accidentally inserted into the wrong envelopes – The correct EoB statement and the statement of another CarePlus plan subscriber.