The protected healthcare information of nearly 20,000 children enrolled in the Missouri Medicaid Plan has been exposed due to a mailing error.
The PHI was exposed when WellCare Health Plans, which administers the Missouri Medicaid Plan, sent a letter to Missouri Care members reminding them to book a “well-child” visit. The letters were sent to incorrect addressed, resulting in parents receiving information on other people’s children. The information disclosed in the letter was limited to names, ages, and the name of their provider. As other sensitive data was not exposed, the potential for misuse was determined to be low, and the children were not at risk of identity fraud. The breach was discovered on July 25.
Despite the low risk, the parents and legal guardians of affected children have been advised to monitor their credit card bills and account statements for any suspicious activity and told not to respond to any email requests asking for further personal information. Free credit monitoring services have been offered to all individuals affected by the breach by WellCare Health Plans Inc.
“As we continue to investigate the scope of the incident, we are taking steps to prevent something like this from happening again,” said Ted Webster, vice president and chief security and privacy officer at WellCare.
It is still unclear how many of the 19,570 letters about the “well-child” visits were sent to the wrong people, or how the letters came to be incorrectly addressed.
The personal information that was exposed is classed as protected health information under HIPAA. Therefore, even though minimal information was exposed in the breach, breach notifications were sent to all affected individuals, in accordance with HIPAA’s Breach Notification Rules. HIPAA also dictates that for any incident which affects more than 500 individuals, a media notice about the breach was also warranted. This notice was sent to the Kansas City Star.
In the letter, WellCare Health Plans VP and chief security and privacy officer said, “Missouri Care is deeply committed to protecting our members’ privacy, and we apologize for any inconvenience this incident may have caused.”
WellCare Health Plans Inc., said policies and procedures for mailings have been reviewed and updated to prevent similar incidents from occurring in the future.
This is the second incident involving the exposure of PHI due to a mailing incident at Missouri Care this year. A similar mis-mailing error occurred in August 2017, which resulted in the accidental disclosure of the PHI of 1,223 plan members. In that case, the error was made by a subcontractor, O’Neill Printing, used for the mailing. Names, birthdays, and Medicaid account numbers were exposed in that breach.
WellCare was also involved in another recent data breach due to a mailing error. The incident, which occurred in New York, saw 500 people’s PHI exposed. Again, a third party vendor was blamed.