“We take your privacy seriously,” Saturday edition
As part of my research collaboration with Protenus for their Breach Barometer reports, I spend time every week reaching out to entities to ask them for details about incidents if I cannot find any notice on their site or a state attorney general’s site. Most entities respond with the requested information or a copy of their notification. Not all do, however. A few ignore requests, and on rare occasions, I may get an entity refusing to answer any questions at all. This month, I actually had two entities refuse to provide information to me. One of them was Piedmont Community College, which I reported on here and will continue to investigate. The other was Tufts Health Plan.
Earlier this month, I noticed that Tufts Health Plan (THP) had reported a breach that impacted 206 Massachusetts residents.
Because they are a HIPAA-covered entity, I reached out to them to ask for information on the incident. I wrote, in relevant part,
I see that Tufts Health Plan reported a breach to Massachusetts on October 2, but I don’t see any notification or substitute notice on the health plan’s web site. Can you point me to the notification’s url or email me a copy of any notification? I have no idea if this was an employee data breach or a PHI breach, or how many people, total, were impacted, and how?
Kathleen Makela of Tufts Health plan replied:
A notification was made to the Massachusetts Attorney General’s Office on October 2, 2020. All required notifications have been provided pursuant to Massachusetts law.
Fearing that she had misunderstood my inquiry, I replied:
I did not accuse Tufts of not making notifications required by law. I asked you for a copy or to point me to a url where it is already publicly available. Can you please provide me with a copy for our research and reporting purposes? Thank you.
Somewhat to my surprise, Makela replied:
We are not required to make a public notice in this instance. Affected members have been notified.
I guess they never heard the old, “If you have nothing to hide…”
Now wondering if THP might have something to hide, I filed under Freedom of Information and requested all reports that Tufts Health Plan had submitted to Massachusetts in 2020. The state provided me with the responsive records today.
Let’s start with the breach I had contacted THP about. On October 2, their external counsel notified the state that on August 5, a Tufts Health Plan (THP) employee “sent an email containing eligibility data files for members of an employer group to representatives of a vendor that inadvertently included members of other employer groups that were not meant for that vendor.” The error, which was discovered the same day, impacted 206 plan members residing in Massachusetts, including 37 minors. They were offered credit monitoring and mitigation services (credit monitoring offers are required by Massachusetts law for this type of breach). THP’s notification stated that in response to the incident, they retrained the employee.
Human error. No big deal, right. But wait, there’s more. Let’s back up:
- On February 28, their external counsel had notified the state that on January 16, a THP employee “sent an email to an external broker providing online access to THP’s broker portal, which included an authorization form containing the broker’s name and Social Security number.” The email also inadvertently included authorization forms for nine other brokers that were not intended for this broker, which contained those brokers’ names and Social Security numbers. The affected Massachusetts residents were offered credit monitoring services and identity theft restoration services, and the employee was retained. In their notification to those affected, THP assured them that they maintain a Written Information Security Program as required by Massachusetts law.
- On February 28, their external counsel sent a separate notification to the state explaining that on January 23, an employee “sent a secure email to representatives of a THP full insured employer group that inadvertently included an attachment containing information relating to a different THP employer group with a similar group name.” The attachment included THP member names and Social Security numbers of 53 Massachusetts residents. Once again, there was an offer of credit monitoring and identity theft restoration services. Once again, THP assured the state and those impacted that they maintain a Written Information Security Program as required by Massachusetts law. And once again, an employee was retrained.
- On August 31, their external counsel notified the state that on June 29, an employee “sent a secure email to representatives of a provider organization in the THP provider network that inadvertently included an attachment containing unrelated claims payment information.” The file included provider names and tax ID/Social Security numbers of 111 Massachusetts residents. Once again, THP offered credit monitoring and identity theft restoration services. And yes, they reported that they retrained the employee.
Four human error breaches involving email attachments in less than one year by a HIPAA covered entity. More than 350 Massachusetts residents whose SSN was involved (we do not know the total number of those impacted by each incident — only the number for Massachusetts).
A check of HHS’s public breach tool does not reveal any reports, so it may be less than 500 total for each of these incidents, but the fact that there have been four of them this year and all involving email attachment errors that are not caught before emails go out makes it somewhat difficult to believe that Tuft’s retraining is a sufficient and adequate approach to preventing future problems.
From now on, I will be watching for more breach reports by Tufts Health Plan. But more than me watching them, perhaps HHS should be looking at THP’s written information security program to see if it is appropriate when it comes to the handling of email attachments.
And as to THP’s lack of public transparency, well, their refusal to provide details on one incident wound up calling attention to four incidents, so I’m not sure how their response to media requests is working out for them.