First in New Jersey . . . now in Georgia.

The Atlanta Journal-Constitution reported yesterday that last week BC/BS of Georgia sent over 202,000 EOB letters to the wrong addresses.  Apparently the letters were mistakenly directed to the addresses of other policyholders, and included patients’ names and insurance identification numbers, their doctors names, and in some cases Social Security numbers.   The United Press International also reports that "Blue Cross said the problem was the result of a change in the computer system that was not properly tested."   Patients with sensitive diagnoses, like HIV/AIDS and other conditions, are particularly upset.   Identity theft is also a big concern.

Georgia’s Insurance Commissioner, John Oxendine, ordered BC/BS of Georgia to give written notice to policyholders whose names were on the explanation of benefits letters and compile a list of names of those who mistakenly received the forms (Georgia also has an enacted Security Breach Notification Law).  The Commissioner is also "requiring the company to give a year of free credit monitoring to all affected customers," due to the risk of identity theft.           

Back in January 28, 2008, Horizon BC/BS of New Jersey also experienced a data security breach that occurred when a Horizon employee’s laptop computer was stolen.   The laptop contained the names, addresses and social security numbers of New Jersey employees and their dependents. Between 200,000 and 300,000 identities were on the stolen computer.  One year of free credit report monitoring was offered in that instance as well. 
In light of the government’s recent decision to pursue enforcement against Providence hospital in Washington for similar types of security breaches, it cannot be overemphasized that any organization that handles electronic health information should have an active and effective HIPAA Security compliance program.  This includes, among other things, conducting testing, audits, and having clear policies and procedures in place to safeguard against unintended disclosures.