Triple-S Advantage discloses PHI breach resulting from mailing error
Triple-S Advantage, the Blue Cross Blue Shield licensee in Puerto Rico, has run afoul of privacy and security regulations after mailing a large number of notices with protected health information to incorrect addresses.
The insurer sent notification letters to 36,305 patients outlining the disclosure of protected health information after the error was discovered. In November 2017, Triple-S sent postal notices containing PHI to providers, and the next month, it discovered that they were mailed to the wrong address.
The incident mirrors other incidents at Triple-S, which was fined $3.5 million in 2015 by the HHS Office for Civil Rights and required to complete a comprehensive corrective action plan to improve the integrity and security of protected health information.
The punitive action was a result of at least four data breaches at the insurer from 2010 to 2014. Mailing errors were among the causes for data breaches in previous security incidents. In assessing the fine in 2015, OCR’s investigation found widespread non-compliance for protecting PHI, which included failure to implement appropriate administrative, physical and technical safeguards; impermissible disclosure of PHI to an outside vendor without obtaining a business associate agreement; use or disclosure of more PHI than was necessary; and failure to conduct a risk assessment.
In the most recent incident, the insurer said it was investigating the reasons why the mailing error occurred and what personal information was disclosed through the error.
“We have taken immediate steps to ensure additional notices to our members and your healthcare providers are sent to the correct address, such as correction of the mailing process, completion of tests and sending the letters to the correct address of your provider,” its letter noted.
Compromised information resulting from the breach included patient name, health plan identification number, date of service, and treatment codes.
Triple-S urged affected individuals to review explanation of benefits notices to ensure services reported were provided, and warned that if they receive unsolicited mail or phone calls that appear to be from Triple-S to not provide any personal information. The patient notification letter did not include an offer of credit monitoring and/or identity theft protection services. However, given that Social Security numbers, date of birth, mailing address and financial information were not disclosed, the company determined that it is unlikely that members are at risk of identity theft, according to a statement sent to Health Data Management.