Medicaid Incident Leads Breach Roundup1,400 Affected by Mailing Error
In this week's breach roundup, a Medicaid HMO plan in Missouri is notifying almost 1,400 enrollees that their personal information was mailed to an incorrect address due to a vendor error. Also, the UK Information Commissioner's Office has fined the Bank of Scotland Â£75,000 after customer account details were repeatedly faxed to the wrong recipients.
Mailing Error Exposes Patient Info
MO HealthNet, a Medicaid HMO program in Missouri, is notifying almost 1,400 enrollees that their personal information was mailed to an incorrect address due to a software programming error by one of its vendors, Infocrossing Inc.
The misdirected mailing included participant name, date of birth, identification account number, county name, phone number, and the last four digits of the Social Security number, according to a statement from the Missouri Department of Social Services.
The Medicaid plan is notifying those affected that Infocrossing is offering them free credit monitoring services for two years, the statement says.
Fax Errors Lead to Â£75,000 Fine
The UK Information Commissioner's Office has fined the Bank of Scotland Â£75,000 (about $115,500) after customer account details were repeatedly faxed to the wrong recipients.
The improperly faxed information includes pay-slips, bank statements, account details and mortgage applications, as well as customer names, addresses and contact details, according to the ICO.
The documents were improperly faxed over a four-year period, with the first incident reported in February 2009 by a third-party organization. That organization received at least 21 of the documents, and a member of the public received 10 misdirected faxes, ICO reports.
Despite being notified of the error, the misdirected faxes continued, the ICO says.
"The Bank of Scotland has continually failed to address the problems raised over its insecure use of fax machines," says Stephen Eckersley, head of enforcement at the ICO. "To send a person's financial records to the wrong fax number once is careless. To do so continually over a four-year period, despite being aware of the problem, is unforgivable and in clear breach of the Data Protection Act."
Clinic Reports Employee Breach
Rocky Mountain Spine Clinic in Denver is notifying 532 patients that their protected health information was inappropriately sent by a former employee to her personal e-mail account.
The employee, who worked in the clinic's billing department, created a document containing the information and sent it to her personal e-mail account, according to The Denver Post.
The employee was fired and a police report was filed, but no charges are expected in the case, the news report said.
Compromised information included patient names, insurance company information and tracked patient surgeries.