StayWell breach affects over 12,000; how many more not disclosed (update1)
A breach at StayWell Health Management in 2012 resulted in at least three HIPAA-covered entities notifying patients, members, or employees. The incident was posted to HHS’s public breach tool in an update this week. According to HHS’s entries, Missouri Consolidated Health Care Plan notified 10,024 members while Clorox Company Group Insurance Plan notified 520 members and Nissan North America in Tennessee notified 1,511.
Entries on HHS’s breach tool show breach dates in March, April, and May of 2012, with the breach coded as “Unauthorized Access/Disclosure,Network Server.”
PHIprivacy.net contacted StayWell to ask for additional details, and was sent the following statement dated February 25, 2014:
StayWell Health Management has notified approximately 10,024 individuals that five spreadsheets containing information about their participation in the 2012 Eat for the Health of It or Stress Quest programs were made accessible through an internet search because the spreadsheets were inadvertently stored in a publicly accessible folder on StayWell’s system. StayWell Health Management administered these programs for Missouri Consolidated Health Care Plan (MCHCP). These spreadsheets contained each participant’s first and last name, email address, unique internal identification number, the then current week of the program, whether a participant elected to receive email notifications, and whether a participant had taken two short program surveys. The spreadsheets did not contain any other personally identifiable information.
These spreadsheets were accessible from March 23, 2012 to January 22, 2014. After being notified of the error on January 21, 2014, StayWell restricted access and removed the spreadsheets from public accessibility and has implemented additional educational and technological steps to ensure that this type of situation does not occur again.
StayWell is operating a toll-free call center to handle questions from affected participants between the hours of 8 a.m. and 8 p.m. Central Time Monday through Thursday, 8 a.m. and 6 p.m. Friday, and 8 a.m. and 1 p.m. Saturday. The number is 855-428-6325.
As required by the Health Insurance Portability and Accountability Act (HIPAA), the U.S. Department of Health and Human Services has been notified of the incident.
In additional communications to PHIprivacy.net, a StayWell spokesperson indicated that Clorox and Nissan also had similar types of information disclosed, as described above. They would not disclose, however, how many other StayWell clients were affected by the breach, nor the total number affected, saying, “To ensure privacy and confidentiality, we cannot provide additional information at this time.” I guess we’ll just have to see if any other entries show up on HHS’s breach tool.
Update1: A commenter, below, reports that University of Minnesota employees were also affected. If you received a letter from any other entity not already named in the post, please give the name of your employer/StayWell’s client, and the details of the breach notification letter you received if it’s anything different than what’s already been reported here.