Title: Blue Cross Mistake Releases Personal Info of 12K Members - ABC6.com
Date: 05/14/10
Business Activities: Data Management - Destruction, Breach Response
Impact to Subscriber:

Sensitive data, including Social Security numbers, held by an organization was inadvertently left in a filing cabinet donated with other surplus office furniture to a local nonprofit organization; the organization's Privacy Officer immediately retrieved the documents and determined that the disclosure was the result of the failure of certain employees to adhere to the company's strict policies and procedures (the responsible employees have been appropriately disciplined, and some termination). The organization notified the U.S. Department of Health & Human Services Office for Civil Rights, provided affected individuals with daily monitoring and timely alerts of any key changes to credit reports, a $1 million product guarantee to reimburse them from identity theft related losses such as lost wages, legal fees, and stolen funds should the protection fail, and daily scanning of the Internet for their Social Security, credit card and debit card information.
Authority:
Risk Guidance:
Control Guidance:

Relevance:
Background Facts:
  • ABC6.com has reported that the Blue Cross & Blue Shield of Rhode Island ("BCBSRI") suffered a security breach impacting approximately 12,000 BlueCHiP for Medicare members.


Relevance to Business Activity:

  • data management - destruction considerations:
    • BCBSRI announced that personal information belonging to approximately 12,000 BlueCHiP for Medicare members was inadvertently contained in a filing cabinet donated with other surplus office furniture to a local nonprofit organization:Risk
      • the filing cabinet contained completed BlueCHiP for Medicare Health Surveys, and the surveys included:
        • names;
        • addresses;
        • telephone numbers;
        • Social Security numbers;Risk
        • Medicare identification numbers;Risk and
        • self-reported medical information.Risk

  

  • breach response considerations:
    • BCBSRI's Privacy Officer:
      • immediately retrieved the documents;Control and
      • launched a full investigation:
        • BCBSRI's internal investigation revealed that the disclosure was the result of the failure of certain employees to adhere to the company's strict policies and procedures:
          • the responsible employees have been appropriately disciplined, including termination.Control
    • BCBSRI notified appropriate federal and state authorities of the incident, including the:
      • U.S. Centers for Medicare and Medicaid Services;
      • U.S. Department of Health & Human Services Office for Civil Rights;Control
      • Rhode Island Attorney General; and
      • Rhode Island Health Insurance Commissioner.
    • in a letter to the approximately 12,000 affected BlueCHiP for Medicare members, BCBSRI:
      • apologized for the error;
      • notified them of a special hotline available;
      • offered each affected member free credit monitoring for one year;
      • assistance in every aspect of identity theft protection; and
      • identity protection product guarantee for one year, provided by an Experian company:
        • members were given direct access to immediately activate their protection;
        • among other services, members will have free access to:
          • a copy of their Experian credit report;
          • daily monitoring and timely alerts of any key changes to their credit reports;Control
          • daily scanning of the Internet of their Social Security, credit card and debit card information to better protect against potential fraud;Control
          • assistance with the cancellation of their credit and debit cards;
          • toll-free access to a dedicated team of fraud resolution representatives who will:
            • help investigate each incident;
            • contact credit grantors to dispute charges;
            • close accounts, if necessary;
            • compile documents; and
            • contact all relevant government agencies.
          • a $1 million product guarantee to reimburse them from identity theft related losses such as lost wages, legal fees, and stolen funds should the protection fail.Control

 


Source Document:
http://ww.abc6.com/global/story.asp?S=12326346&clienttype=generic&mobilecgbypass

Privacy Statement · Legal notice