Macomb County, Michigan notifies employees and dependents of business associate breach
Update: After this entry was posted, PHIprivacy.net received additional information indicating that there were actually two Macomb County Business Associates involved in the provision of the file to the County. “One of these two Business Associates is U.S. Health Holdings’ subsidiary Automated Benefit Services,” a spokesperson for the county’s communications firm tells PHIprivacy.net. “The breach did not occur at or by Automated Benefit Services, but the breach was reported to HHS by U.S. Health Holdings Ltd on behalf of Covered Entity Macomb County. The other Business Associate is not a U.S. Health Holdings Ltd. subsidiary or client of ours,” the spokesperson writes.
A new entry on HHS’s public breach tool involves an incident reported by U.S. Health Holdings, Ltd. on behalf of Macomb County, Michigan. The breach is coded on the tool as involving “Unauthorized Access/Disclosure.”
On October 1, Macomb County issued a press release about the incident that was sent to various news outlets serving Macomb County, Michigan: the Macomb County Daily, the Detroit News, and the Detroit Free Press. It was also issued to NBC affiliate WDIV. A copy of the release was sent to PHIprivacy.net by the county’s communications firm, Lewis Brisbois Bisgaard & Smith LLP:
Although there is no indication of any actual or attempted misuse of personal information or protected health information belonging to participants in the Macomb County Medical, Dental, and Vision Plans (the “Plans”), Macomb County, Michigan (the “County”) will be notifying employees, as well as their dependents and spouses, who have the potential to be affected by the inadvertent posting of certain information on the Michigan Inter- Governmental Trade Network (“MITN”) website.
The inadvertent posting occurred in conjunction with the County soliciting bids from potential Plan service vendors. As part of the competitive bid process, the County received a file inadvertently containing personal information from one of its vendors. The file was then posted to the registered user-only restricted access portion of MITN from July 3, 2014 to July 31, 2014 so that potential bidders were able to review the information and submit bids to the County. Thereafter and until the situation was discovered on September 10, 2014, the information was accessible to MITN users by way of a link from the MITN homepage. The file posted to MITN contained participant names, dates of birth, social security numbers, zip codes, cities, and Plan carrier names. This file did not include any treatment, diagnosis or treating physician information, or Plan identification numbers. Once discovered, the information was immediately removed from MITN. A thorough investigation into this matter has been performed and changes have been made to the County’s competitive bidding process to prevent this from occurring again in the future.
On September 30, 2014, letters were mailed to those participants identified as being potentially affected by the incident, and to the parents/guardians of participants’ potentially affected dependents. Notice of this incident was also provided to the U.S. Department of Health and Human Services and to the national consumer reporting agencies on October 1, 2014.
Although there is no report of any attempted or actual misuse of participant information, those identified as being potentially affected are also receiving access to one year of free identity and credit monitoring and restoration services, along with access to a confidential assistance line and to an identity theft protection specialist.
To further protect against identity theft or other financial loss, individuals are encouraged to remain vigilant, review account statements and monitor credit reports for suspicious activity. Under U.S. law, individuals are entitled to one free credit report annually from each of the national consumer reporting agencies. Free credit reports can be ordered at www.annualcreditreport.com or by calling 1-877-322-8228. The national consumer reporting agencies can also be contacted directly to request a free credit report.
Individuals are also encouraged to review Explanation of Benefits statements received from insurers for suspicious activity. If an individual does not receive regular Explanation of Benefits statements, he or she can contact his or her insurer to request copies. Individuals may want to order copies of credit reports to check for any unrecognized medical bills. If an individual finds anything suspicious, he or she may call the credit reporting agency at the phone number on the report.
At no charge, an individual can have the national consumer reporting agencies place a “fraud alert” on the individual’s file that alerts creditors to take additional steps to verify the individual’s identity prior to granting credit in the individual’s name. As soon as one national consumer reporting agency confirms the fraud alert, the others are notified to place fraud alerts on the individual’s file. Because a fraud alert tells creditors to follow certain procedures to protect the individual against identity theft or fraud, it may also delay the individual’s ability to obtain credit while the agency verifies the individual’s identity. The contact information for the national consumer reporting agencies is: Equifax P.O. Box 105069, Atlanta, GA 30348-5069, 800-525-6285, www.equifax.com; Experian P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion P.O. Box 2000, Chester, PA 19022, 800-680-7289, www.transunion.com.
Individuals can also further educate themselves regarding identity theft, and the steps that can be taken to protect themselves, by contacting their state Attorney General or the Federal Trade Commission. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653- 4261. Instances of known or suspected identity theft should be reported to law enforcement, your Attorney General, and the FTC. Known or suspected incidents of identity theft or fraud should be reported to law enforcement.
Anyone with any additional questions may contact the confidential assistance line, available at 1- 877-313-1395 between 8:00 a.m. and 8:00 p.m., Central Standard Time, Monday through Saturday.
That’s a fairly comprehensive notification and really gives those potentially affected the information and tools they need to protect themselves and their dependents.
According to the notification to HHS, 6,302 employees and dependents were notified of the breach.