Mailing Error at CMS Vendor Affects 10,000 Medicare Beneficiaries
The Centers for Medicare & Medicaid Services (CMS) has started notifying certain Medicaid beneficiaries about an impermissible disclosure of some of their protected health information due to a mailing error at one of its contractors. The incident occurred at Palmetto GBA, which the CMS uses to handle claims. Between January 8 and January 29, 2023, Palmetto GBA mailed Medicare Summary Notices (MSNs) to Medicare recipients; however, a computer programming issue with its print mail services resulted in MSNs for the final quarter of 2022 being mailed to other Medicare beneficiaries within the same zip code.
The programming error was discovered by Palmetto GBA on February 7, 2023, and reported the incident to the CMS the same day. The CMS then worked with Palmetto GBA to identify the individuals affected and determined the error had resulted in 10,011 MSNs intended for Medicare beneficiaries in Alabama, Georgia, and Tennessee being sent to incorrect individuals. The MSNs contained the Medicare beneficiary’s name, address, claim number, dates of service, the last four digits of their Medicare Beneficiary number, and service/procedure descriptions with billing codes. The CMS believes that the risk of identity theft and Medicare fraud is minimal. Palmetto GBA has fixed the programming error and has increased reviews of printed mail for quality assurance purposes to protect against similar incidents in the future.
Adelanto HealthCare Ventures Phishing Attack Affects Patients of UHS of Delaware
UHS of Delaware, Inc. has recently notified 40,290 individuals about a data breach at a consulting company. In November 2021, Adelanto HealthCare Ventures (AHCV) suffered a phishing attack that allowed unauthorized individuals to access employee email accounts. The phishing incident was investigated, and it was determined that no protected health information had been exposed or stolen; however, on August 19, 2022, it was confirmed that some PHI had been exposed.
AHCV has improved its security measures in response to the incident to better protect against similar incidents in the future, including providing its workforce with further training. The incident affected several of its healthcare clients. You can find further information on the incident in this post.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
PHI Exposed in Northeast Behavioral Health Care Consortium Phishing Attack
Northeast Behavioral Health Care Consortium (NBHCC) in Moosic, PA, has notified 13,240 patients that some of their protected health information has been exposed and potentially stolen. On February 20, 2023, NBHCC discovered an employee email account had been accessed by an unauthorized individual as a result of a response to a phishing email.
A review of the affected email account confirmed it contained protected health information such as names, member numbers, Medicaid numbers, diagnoses, detailed incident descriptions, and levels of care. NBHCC said it hasn’t identified any misuse of patient data and believes the primary goal of the attackers was to obtain other companies’ information; however, misuse of patient data could not be ruled out. A third-party cybersecurity firm was engaged to assist with the investigation and has taken action to mitigate risk and prevent similar incidents in the future.
