Breach Lessons: Sweat the Small Stuff

Incidents Involve Documents in Discarded Cabinet, Mailing Error Howard Anderson (ismg_editor) • July 8, 2010

Two recent healthcare information breaches illustrate that even routine business processes, like throwing away old filing cabinets or mailing letters, can be risky.

Health insurer Aetna Inc. has notified about 4,900 people that paper files containing some personal information were mistakenly left in a file cabinet the company was discarding as part of an office move.

In another incident, the University of Florida has notified more than 2,000 people that their Social Security number or Medicaid identification numbers were included on address labels on about a medical research study.

Under the HITECH Act's breach notification rule, organizations must notify the media and the Health and Human Services Office for Civil Rights, in addition to individuals affected, about breaches involving more than 500 people.

Aetna Incident

Aetna reports that the vendor it hired to move and discard furniture "put the file cabinet out for clearance" on March 29. The person who obtained the cabinet contacted Aetna about the documents and returned them on May 28.

Although the company says it has no reason to believe the information was misused, it is offering affected individuals free credit monitoring.

Most of the documents in the cabinet were health plan dependent enrollment forms from 2003 to 2007 for individuals who worked for mid-sized employers and lived in New Jersey or Pennsylvania. They included name, address, Social Security number and date of birth.

"Aetna is taking corrective actions to tighten our processes for office moves and our document retention policies, with both employees and vendors, along with other measures, to help ensure that this does not happen again," the company said in a statement.

University of Florida Incident

In the University of Florida incident, letters were mailed May 24 as part of a research study conducted through the UF College of Medicine's Department of Epidemiology and Health Policy Research. The letters were sent to parents or guardians of adolescent girls to seek their participation in a telephone survey about a vaccination.

In addition to including the identifiers on the mailing labels, the identifiers were shared with a telephone survey company, university officials said.

The identifiers were supposed to have been randomly generated. Instead, 647 were Social Security numbers and the remainder were Medicaid numbers.

University officials advised those affected to monitor their financial information. They say the mailing service and the survey company both are purging and destroying the identifiers and signing legal documents indicating the tasks have been completed. "We have taken steps to address this problem and are continuing to evaluate our processes and procedures," said Susan Blair, the university's chief privacy officer.