A data breach involving unauthorized access to paper records of Brown employees and their family members occurred in December, and Brown officials were notified of the breach Jan. 5, said David Sherry, chief information security officer.
Blue Cross Blue Shield of Rhode Island accidentally sent paper records of more than 500 Brown employees and their family members to another subscriber company and its agent, according to Sherry.
Within 24 hours, both the companies received the records and, upon recognizing the mistake, destroyed the records and notified Blue Cross Blue Shield, which subsequently notified Brown, he added.
There was no health or Social Security information in the sent report, Sherry said. It only included names, Blue Cross subscriber numbers and "charges during the period."
"From what we were told … it was human error," Sherry said. He said there was no "malicious intent" or "criminal activity."
Brown addressed the breach with legal counsel, human resources and Sherry, Sherry said. They "pressed" Blue Cross Blue Shield to "do a few things," including recovering all the copies, notifying the affected individuals, offering a change of subscriber numbers and reviewing its claims for the next six months, Sherry added.
"Brown has no responsibility in this whatsoever, but we took it very, very serious — enough to make sure that Blue Cross Blue Shield acted in a way that would rectify this whole thing and protect our employees and their families," Sherry said.
Blue Cross Blue Shield "conducted an internal review and modified existing security procedures to prevent a similar situation from occurring in the future," Director of Communications Services Jacqueline Ibbitson wrote in an e-mail to The Herald. The company "will also be conducting an audit of the affected members' claims later this year," she added, declining to answer further questions.
Brown was required by new legislation to report the breach to the U.S. Department of Health and Human Services because the privacy breach affected over 500 individuals, Sherry said.
The law is part of the Health Information Technology for Economic and Clinical Health Act, intended to "safeguard" private information and build consumer trust, according to an official at the Office for Civil Rights at the Department of Health and Human Services.
There have been 47 breaches of "unsecured protected health information affecting 500 or more individuals" across the nation since the act was implemented last August, according to a list of breaches posted on the department's Web site. The majority of the breaches were due to theft, according to the Web site.
Though the breach was publicized on the department's Web site, there has been little media attention to the breach at Brown. This is because the breach was of "low risk" and because Brown was required to notify the media only if the breach affected more than 500 people from one state, Sherry said. Affected individuals reside in `three different states — Rhode Island, Massachusetts and Connecticut, according to Sherry.
"Quite frankly," Sherry said, "Brown did not make any mistakes."
ADVERTISEMENT
