PHI of 31,876 Managed Health Services of Indiana Plan Members Potentially Exposed


The Managed Health Services based in Indianapolis, IN, which runs the Hoosier Care Connect Medicaid and Hoosier Healthwise programs, announced to 31,876 plan members on December 2018 that their protected health information (PHI) were potentially disclosed in two different breaches. The first breach was the result of a phishing attack on a Manage Health Services’ business associate – LCP Transportation. The second was due to a mailing error.

Some time in July 30, 2018, LCP Transportation employees clicked on phishing emails and ended up giving the attacker their credentials that permitted remote access to their email accounts. On September 7, 2018, LCP Transportation deactivated the compromised email accounts.

A third-party computer forensics company assisted in investigating the data breach. Although there was no evidence that PHI was misused, it is possible that the attacker accessed the emails in the compromised accounts. A number of the email messages contained the PHI of plan members. The information potentially exposed included names, dates of birth, addresses, dates of service, medical conditions information and insurance ID numbers.

To prevent breaches of this nature, email security was improved and employees received extra training on threat awareness.

LCP Transportation informed Managed Health Services about the breach on October 29. 31,300 affected plan members were sent notifications on December 21, 2018 and were offered free credit monitoring services via CyberScan for one year.

Mailing Error Caused Letters to be Sent to Incorrect Recipients
On December 20, 2018, 576 Managed Health Services plan members were sent notifications that some of their PHI were impermissibly exposed to other plan members because of a mailing error.

On October 16, 2018, Managed Health Services sent letters to plan members about an upcoming pharmacy change. But some letters were sent to the wrong recipients. The mailing error resulted in the exposure of the names, insurance ID numbers, and medication details of a plan member to another plan member. Managed Health Services contacted all persons who got a letter to ask that they give back the mis-mailed letters.

Despite the breach, there was no information received suggesting the misuse of plan members’ PHI; but, as a precaution, affected persons were offered one year free credit monitoring services via CyberScan.

Managed Health Services already did what was necessary to avoid mailing errors from happening again. Mailing policies and procedures as well as reviewing practices of mailing information submission to the national mailing center were reinforced.