A privacy incident has been suffered by Miami, FL-based CarePlus Health Plans where certain plan subscribers’ protected health information were mistakenly shared with other plan subscribers.
Benefits statement explanations were sent to its plan subscribers on January 9 and January 16, 2018, although on January 17, CarePlus noticed that some of the statements had been sent to the wrong recipients.
The EoB statements included details like names, addresses, dates of service, providers of services, the services that had been supplied, CarePlus identification numbers and CarePlus health plan identities. Highly sensitive data such as Social Security numbers and financial information were not included on the EoB statements. CarePlus has not received any reports to imply any of the disclosed PHI has been misused.
The mismailing incident has been reviewed by CarePlus and moves have been made to prevent any similar privacy incidents from happening going forward. CarePlus says the mismailing incident happened as a result of a series of programming and printing mistakes. Breach notification letters are now being sent to all people affected by the breach to make them aware about the accidental disclosure of their private health information.
The incident has yet to be published on the Department of Health and Human Services’ Office for Civil Rights data breach online portal, although WFLA has reported that incident affects around 11,200 plan subscribers.
This is the second mailing mistake incident to be reported by CarePlus Health Plans in the past three years. In September 2015, CarePlus revealed that over 1,400 of its plan subscribers had been affected by a mailing mistake that saw two EoB statements mistakenly put into envelopes – the correct EoB statement and the statement of another plan subscriber.