South Florida Community Care Plan has learned that an ex-employee mailed to a personal email account the internal documents that contain the protected health information (PHI) of plan members. The breach was identified on June 21, 2021 while the ex-employee’s email account is being reviewed.
An investigation of the unauthorized activity confirmed on June 21, 2021 that the records included these types of plan member data: Names, addresses, birth dates, primary care doctor names, member identification numbers, diagnoses, procedure billing codes, procedure types, and/or approved services.
The transmitting of plan members’ data to personal email accounts violates South Florida Community Care Plan policies; nevertheless, there is no proof found to suggest the data was sent beyond the range of the ex-employee’s job requirement.
South Florida Community Care Plan stated data security is one of its leading priorities and actions were undertaken to avoid unauthorized information access and exfiltration. The employee’s email account and login details were canceled when employment ended, a complete audit of the activities of the employee inside the IT system was done, and all company-given devices were retrieved. An additional audit of the employee’s activities while working at CCP was then done to make sure there were no other cases of unauthorized action.
All people impacted by the breach were already notified. As a preventative measure against identity theft and fraud, they were given free credit monitoring services. Impacted persons were informed to keep track of their accounts and credit reports for a period of 12-24 months to check for any indications of suspicious activity.
CCP already reported the data breach to the Department of Health and Human Services’ Office for Civil Rights. The breach report does not appear yet on the breach portal, therefore it is presently uncertain how many people were impacted.