We may not see this one on HHS’s public breach tool (depending on the total number affected), but on July 18, Blue Cross Blue Shield of Michigan (BCBSM) and Blue Care Network (BCN) notified the New Hampshire Attorney General’s Office of an incident involving an insurance agency and its storage facility vendor.
According to the notification, BCBSM was notified by the Michigan State Medical Society Physician Insurance Agency on June 12 that two boxes containing protected health information about some members was misplaced by the agency’s storage facility. Fourteen boxes had been sent for storage in February, but two of the boxes were missing on May 1.
“After a thorough investigation, the boxes were not found,” Nicole Wotlinksi, Assistant General Counsel for BCBSM, informed the state.
Although BCBSM had no direct responsibility for the storage of the member records, they assisted the agency in investigating the incident and determining who might be affected.
The information in the boxes included member names, addresses, dates of birth, group numbers, claim details, provider names, service dates, service descriptions, dollar amounts charged and paid, and Social Security numbers from the years 2010-2011.
The agency is reported considering a new storage vendor.
Those affected have been offered a year of ID theft protection services with AllClear ID at BCBSM’s expense.
Parenthetically, I note that once again, personal information was inadvertently disclosed in the notification itself as the recipient’s name and address was not redacted.
This is the second incident reported this year by BCBSM and BCN. The first incident, which appears on HHS’s public breach tool, involved an e-mail incident affecting 502 members.