Georgia Insurance Commissioner John Oxendine said Monday he is "very concerned" about a mistake that caused the personal information of thousands of Blue Cross Blue Shield of Georgia members to be mailed to the wrong people.
"This is the largest breach of privacy I’ve seen in my 14 years as commissioner," he said. "It’s a clear violation of state and federal laws."
Blue Cross has about 3.1 million members in Georgia and is the state’s largest medical insurer. It is a major provider for the state employee health benefit plan, which includes teachers.
The error occurred during the third week of July, when Blue Cross sent out "explanation of benefits" (EOB) letters to incorrect addresses. Blue Cross has not determined exactly how many letters were involved, but the insurance commission estimated the number at approximately 200,000.Cindy Sanders, spokeswoman for Blue Cross Blue Shield of Georgia, said the actual number of patients affected is far less, because some people had multiple EOBs.
She said the problem occurred when Blue Cross changed the software it uses to print out mailings, and did not adequately test the new system prior to implementation. "It has been corrected, and will not happen again in the future," Sanders said.
But Gainesville resident Leslie Wade doesn’t feel reassured. Wade handles the medical bills for her son Joey Ledford, who suffered a traumatic brain injury several years ago and needs extensive medical care. He is insured through Blue Cross.
On July 25, Wade received a large packet containing EOBs from five different patients.
"Out of those, there were two that included Social Security numbers," she said. "These people all had different types of insurance plans (such as PPOs or HMOs) and different employers."
Wade said the documents are a gold mine for anyone who wants to commit medical identity theft.
"The form gives the patient’s name, identification number, group number, doctor’s name, employer, claim number, what they had done (at the doctor that day) and how much they’ve paid toward their deductible," she said.
"If I was a dishonest person, I could sell this to someone."
Blue Cross has offered up to a year of free credit monitoring for anyone whose identity may have been compromised. But Wade doesn’t think that’s enough.
"You can change your member ID or account number, but what if your Social Security number has been sold?" she said. "You can’t get a new one."
Sanders said Blue Cross is in the process of removing Social Security numbers from EOBs, and she said "only a small percentage" of the letters contained that information.
After Blue Cross learned about the security breach, the company set up a toll-free number, 866-800-8776, for members to call if they had received an incorrect EOB. Members will be sent a postage-paid envelope so they could mail back the letter.
It’s not clear what this would accomplish, since the person who received the letter could easily copy all the information before mailing it back.
"We want to be able to account for all the EOBs," Sanders explained.
Oxendine said when his office heard about the breach, he told Blue Cross to notify all policyholders whose information may have been sent to someone else.
Now, he’s also asking the company to send warning letters to those who received the mistaken EOBs. "Hopefully, that will make people less likely to use that information for sinister purposes," he said.
Oxendine said he feels personally affronted by the situation because his wife, a Blue Cross member, was among those whose information was erroneously sent out. "I’m not happy," he said. "I’m a victim just like these other people."
Oxendine said his technical staff is working with Blue Cross to figure out how this could have happened.
"We know it was a programming error, but how did it not get caught?" he said. "They should have had appropriate controls that would have stopped this."
He said once they’re able to ascertain what went wrong, technicians can test the computer systems of other insurance companies in Georgia to see if their safeguards are adequate.
Meanwhile, state attorneys are exploring what penalties, if any, might apply to Blue Cross in this situation.
"I assure you, there will be sanctions," said Oxendine. "(Credit monitoring) is something Blue Cross offered to do, but it does not get them off the hook."
Each incorrect letter that was mailed violates the federal Health Insurance Portability and Accountability Act (HIPAA). The wide-ranging law, which went into effect five years ago, strictly limits access to patient information, allowing its release only to those who need to know, such as doctors and billing offices.
But Oxendine said he’s not sure whether any charges can be brought against Blue Cross under HIPAA.
Wade said she wants Blue Cross to be held accountable. She’s angry that the company seemed to dismiss the problem as a "computer glitch."
"They’re trying to act like it’s no big deal," she said. "I think it’s a lot worse than they’re saying."
Wade takes no comfort in the fact that she is on a different insurance plan from her son and is not a Blue Cross member. She fears the same kind of mix-up could happen with other insurance companies.
"This is not going to be the last time this happens. That’s the problem," she said.
Oxendine said with all medical providers converting over to computerized records, everyone is going to have to be vigilant about protecting patients’ privacy.
"The bigger question is, How do we secure our personal information in today’s world?" he said.