Tufts Health Plan had a data breach that exposed the health plan member ID numbers of 70,320 members. The mailing vendor of Tufts Health Plan sent Preferred ID cards to Tufts Medicare Advantage members from December 11, 2017 to January 2, 2018. The envelopes used with the ID cards had plastic windows through which the plan members’ names and addresses were visible. Sorry to say, Tufts Health Plan member ID numbers were also visible. Tufts Health Plan discovered the mailing error on January 18 only.
The Social Security numbers or Medicare numbers of members were not used to create the Tuft Health Plan member IDs. However, it’s possible that someone might misuse the member ID numbers to avail of services covered by the health plan. According to legal experts, the risk of misuse of the plan members’ ID numbers is very low since it’s likely that employees of the postal service will be the only ones to see the member IDs. Tufts Health Plan sent notification to the plan members about the breach and informed them that in case of member ID misuse, they will not pay for the charges. Plan members are encouraged to review their Explanation of Benefits statements and submit a report if they see any services detailed on the statements that they have not availed.
After the incident, the health plan worked closely with the vendor to make sure that a similar mailing error will not happen again. The mailing vendor confirmed that they had fixed the cause of the privacy incident. Thankfully, this privacy breach had limited impact on the patients. Other similar incidents resulted to serious problems just as the case of Aetna’s business associate. A mailing error sent to about 12,000 plan members on July 28, 2017 resulted to the disclosure of the members’ receiving HIV medications. It was not only the postal service people who knew about the information, but also family members and roommates. Aetna had paid $18.15 million in fees and fines because of this data breach.
Another data breach incident of the same nature affected Amida Care in 2017. In this case, the phrase “Your HIV detecta” was visible through the envelope window. Since more than one breach incident had been associated to the use of envelopes with clear plastic windows, stringent checks should be employed to make sure that sensitive information will not be visible through the envelope window.