Dec 142018

Jasper Lindell reports:

ActewAGL has confirmed 400 electricity, gas and water customers have received bundles of bills addressed to other utility customers in a massive privacy breach affecting 6000 customers in the ACT and NSW.

ActewAGL notified the Privacy Commissioner of the breach after it became aware of the mistake on Wednesday and had set up a taskforce by Friday afternoon to respond to affected customers.

Read more on Canberra Times.

Dec 142018

Hilary Bird reports:

An N.W.T man says he found hundreds of confidential medical records at the Fort Simpson dump.

The documents contain detailed information about patients’ mental health and history of drug use, including applications to addictions treatment facilities, progress reports from those facilities, and detailed notes from one-on-one counselling sessions.

The documents, many of which were on N.W.T. government letterhead, also included social insurance, treaty and health card numbers.


Dec 102018

Kimberly Bosco reports:

New York-based health insurance provider EmblemHealth, Inc. is paying the state of New Jersey a hefty fine for disclosing confidential personal information of over 6,000 New Jersey customers.

Attorney General Gurbir S. Grewal and the Division of Consumer Affairs announced on Dec. 10 that EmblemHealth will pay NJ a $100,000 civil penalty. The terms of the settlement also stipulate that the insurance company must also implement a variety of significant internal compliance reforms to better safeguard the personal information of its policy holders, according to the Attorney Generals’ office.

EmblemHealth’s subsidiary, Group Health Incorporated, is also a party to the settlement.

Read more on Jersey Shore Online.  

This is the 2016 breach that had affected more than 80,000 policyholders.  New York settled with EmblemHealth in March of this year for $575,000, but NY had many more residents affected than New Jersey.  The press release from the NJ Attorney General’s Office appears below.  You can access a copy of the consent order here.

TRENTON – Attorney General Gurbir S. Grewal and the Division of Consumer Affairs announced today that health insurance provider EmblemHealth, Inc. has agreed to pay the State a $100,000 civil penalty to resolve allegations it improperly disclosed the highly confidential personal information of more than 6,000 New Jersey customers. 

Under terms of the settlement, EmblemHealth, one of the nation’s largest non-profit health insurance plans, also must implement a variety of significant internal compliance reforms designed to better safeguard the personal information of its policy holders. EmblemHealth’s subsidiary, Group Health Incorporated, is also a party to the settlement. Both companies are headquartered in New York. 

The agreement announced today resolves the State’s investigation into an October 2016 breach incident in which EmblemHealth improperly displayed the Medicare Health Insurance Claim Numbers (HICN), which mirror individual Social Security numbers, belonging to more than 81,000 policy holders, 6,443 of whom reside in New Jersey. 

“Health insurers entrusted with their customers’ sensitive personal information have a duty to avoid improper disclosures,” said Attorney General Grewal. “EmblemHealth fell short of its obligations to its customers in this case, and I am pleased that our settlement includes measures designed to prevent similar breaches at this company in the future.” 

“Consumers need to know that when companies ask for or require highly sensitive personal information – such as their Social Security numbers — the information will be stored securely and utilized discretely,” said Paul R. Rodríguez, Acting Director of the Division of Consumer Affairs. “This settlement should serve as a reminder that we are committed to safeguarding consumer privacy, and will hold accountable any businesses that are careless in the handling of such personal data.” 

The incident at issue took place on October 3, 2016 when EmblemHealth’s vendor sent a paper copy of EmblemHealth’s Medicare Part D Prescription Drug Plan’s Evidence of Coverage to 81,122 of its customers, including 6,443 who live in New Jersey.

The label affixed to the mailing improperly included each customer’s HICN, which incorporates the nine digits of the customer’s Social Security number, as well as an alphabetic or alphanumeric beneficiary identification code. (The number shown was identified as the “Package ID#” on the mailing label and did not include any separation between the digits.)

During its investigation, the Division found that following the departure of the EmblemHealth employee who typically prepared the Evidence of Coverage mailings, the task was assigned to a team manager of EmblemHealth’s Medicare Products Group, who received minimal training specific to the task and worked unsupervised. Before forwarding the data file to the print vendor, this team manager failed to remove the patient HICNs from the electronic data file. 

The Division’s investigation resulted in allegations that EmblemHealth violated the New Jersey Identity Theft Prevention Act, the New Jersey Consumer Fraud Act and the Health Insurance Portability and Accountability Act (HIPAA).

Among other settlement terms, EmblemHealth has agreed to no longer use HICNs that include Social Security numbers and/or Medicare Beneficiary Identifiers to identify customers in mailing files. Instead, the company will convert to a system that employs unique identifiers to identify its customers.

EmblemHealth also has agreed to require the formal transfer of an outgoing employee’s responsibilities to another qualified employee or third party, and that the transition process will include necessary training. Further, the company has agreed to engage a training vendor and implement new privacy and security training modules for employees upon hiring, and on an annual basis after that. 

In addition, EmblemHealth has agreed to notify not only its customers but, for the next three years, the Division of Consumer Affairs when any breach of security affecting the personal information of New Jersey customers takes place.

Investigator Walter R. Kaminski of the Office of Consumer Protection within the Division of Consumer Affairs conducted this investigation.
Deputy Attorney General Lara J. Fogel, along with former Deputy Attorney General Michelle T. Weiner of the Government & Healthcare Fraud Section within the Division of Law, represented the State in this matter. 

Follow the New Jersey Attorney General’s Office online at TwitterFacebookInstagramFlicker & YouTube. The social media links provided are for reference only. The New Jersey Attorney General’s Office does not endorse any non-governmental websites, companies or applications.

Dec 012018

Note: Following publication of this story, was contacted by an SMMC employee who was very upset at what he claimed was inaccurate reporting by this site. He suggested that I do a “sanity-check” on reporting and was upset that I had reported that 5,000 patients were notified. I pointed out to him that the 5,000 figure came from HHS’s public breach tool. He backed off a bit and said he would investigate as that had not been reported to HHS. I never heard back from him or anyone else. As of Dec. 7, the 5,000 figure is still on HHS’s breach tool. So is the correct number 500 or  5000 or something else? At this point, is really not sure.

The San Mateo Medical Center has notified 5,000 patients at its Daly City Medical Center location of a breach.

A November 30 notice on its web site explains that SMMC  became aware on November 7, 2018 that on November 6, a

staff person at the Daly City Clinic left a box containing patient information under her desk overnight. The temporary housekeeping staff mistook the box for recycling and put the documents in the recycling bin and not the confidential bin for shredding.

SMMC was unable to determine whose records were in the bin, and so wound up notifying 5,000 patients.

In response to the incident, SMMC reinforced their policies about records to be shredded and eliminated the use of recycling bins altogether:

We regret that this incident occurred, and are reinforcing our policy that medical staff should place all documents with patient information in the confidential bin for shredding and not leave documents with patient information out overnight. A clinic site visit was conducted on November 8, 2018 and November 16, 2018. The clinic manager for Daly City instructed that recycling bins no longer be used and confidential information be immediately placed in a confidential shred bin.

Read their complete notification on their web site.

Nov 232018

ABC17 reports a follow-up to a breach previously noted on this blog.

A Holts Summit woman is suing SSM Health St. Mary’s Hospital after she claims it didn’t do enough to protect the privacy of her medical records.

According to the lawsuit filed in Cole County, the patient, referred to as “T.K,” received a letter in July from SSM Health notifying her that her protected health information was left in open locations in the old St. Mary’s building, which was being readied for demolition.

Read more on ABC17.