FirstCare Health Plans in Texas is informing over 8,000 plan members about the impermissible disclosure of some of their personal data. The privacy breach was caused by email distribution list error which resulted in automated reports being sent to an incorrect recipient.
The automated daily reports included medical requests containing members’ names, ID numbers, descriptions of treatments, names of treating providers, procedure codes and authorization numbers.
The FirstCare IT security team discovered the error on August 15, 2018. An investigation into the error revealed an incorrect email address had been added to the distribution list on March 22, 2017. Over the course of the following 17 months, protected health information (PHI) of 8,056 plan members had been sent to the email address.
FirstCare had previously implemented several cybersecurity solutions to detect possible intrusions, data breaches, and impermissible disclosures of ePHI; however, in this case those solutions failed to identify the error. Once the error was identified, the IT security team removed the incorrect email address from the email distribution list to prevent further impermissible disclosures of ePHI. An audit of the system was conducted to determine if any other reports had been emailed in error, but failed to identify any further issues.
FirstCare has now implemented a new protocol to ensure that distribution lists for active reports are regularly monitored and new auditing parameters have also been implemented.
FirstCare made several attempts to contact the the email account owner via email, but no response was received. It is possible that the email account has not been accessed and is no longer being monitored. FirstCare also asked for assistance from the U.S Federal Government to help identify the person who set up the email account in a further attempt to make contact to ensure the ePHI contained in the emails is securely deleted. Those efforts are ongoing.
FirstCare explained in its substitute breach notice that it is unaware of any misuse of the data contained in the reports; However, since there is a risk that the ePHi has been accessed, FirstCare has offered all impacted patients one year of credit monitoring services via LifeLock without charge.