Blue Cross and Blue Shield of Rhode Island Privacy Breach Was Due to Mailing Vendor Error

by

Blue Cross and Blue Shield of Rhode Island (BCBSRI) is notifying 1,567 plan members about the impermissible disclosure of their protected health information (PHI) by one of its business associates. The business associate was a vendor contracted by BCBSRI to send explanation of benefits statements to its plan members. The explanation of benefits statements contain summaries of the healthcare services that members have availed under the health plan. It included information such as the members’ BCBSRI ID number, names of service provider(s) and the service(s) provided, and the price of the claims.

The problem is the business associate made an error in the process of preparing the statements which resulted to having the statements sent to incorrect persons. The impermissible PHI disclosure was due to a mistake made by the vendor while merging the explanation of benefits statements for some members who are covered under a similar policy. Combining the statements was supposed to minimize the number of summaries that some members will receive.

The mistake occurred because of the incorrect combination of some explanation of benefits statements for the mid-July mailings. Consequently, the summaries were sent to the wrong family members or other persons in the household that were also covered by a similar policy. Upon knowledge of the mistake, BCBSRI directed the vendor not to combine the statements and just send individual summaries to members while BCBSRI attempts to find another solution.

BCBSRI gave a statement regarding the incident verifying that the error just disclosed PHI to family members or other persons within the same house covered by the health plan policy and not to other BCBSRI members. Because no Social Security numbers or birth dates were included in the summaries, and just family members viewed the summaries, it is expected that there is a very low risk of information misuse. All persons who were affected by the breach are going to be informed of the privacy breach via mail in a few days.