I am writing to provide an update on the incident involving a number of OU Health Plan members.
As you may know, Envision Rx discovered the issue on October 5, 2015 upon receiving notice from our office that some Plan members reported receiving letters containing other member’s prescription drug information.
Upon our notifying Envision Rx, they began immediately investigating the occurrence. Their initial findings indicate that data did not export correctly for the ADOBE Portable Document Format (PDF) file from their source data which was verified as accurate. This PDF file was then used to populate the mailing which resulted in approximately 540 member’s letters containing other member’s claims information. The complete mailing was over 11,000 letters, so that approximately 5% were corrupted. The information included other member’s first and last name, date of service, name of drug and dosage, cost of prescription, member copay, and Plan paid amount. The information did not include the other member’s demographic, financial information or Social Security Numbers.
They are continuing to investigate this incident to be certain that they have identified all data inaccuracies, the definitive number of affected members and the root cause of the error.
The following are the steps Envision Rx is taking in accordance with potential Health Insurance Portability and Accountability Act (HIPAA) violations. This is legislationthat was passed by Congress in 1996and is enforced by the Federal Government’s Department of Health and Human Services (HHS):
- It is essential that Envision accurately identify the affected individuals so that they can provide timely breach notification to effected members. Therefore, they continue to investigate, analyze the data, and conduct quality assurance to ensure the accuracy of their findings.
- Envision will mail the breach notifications to each individual whose information was contained in another member’s letter.
- Envision will send members who received other members’ information a letter explaining our error and requesting they return the “wrong” information to Envision in the self-addressed stamped envelope provided. Envision will resend the correct information to this group of individuals.
- HIPAA requires that breaches affecting 500 or more individuals be reported to the Secretary of the Department of Health and Human Services. Envision will report accordingly.
- HIPAA requires that breaches affecting over 500 individuals be reported to a prominent media outlet serving the state or jurisdiction of the affected individuals. Envision will report accordingly.
- Envision is analyzing reporting obligations under state law and will report accordingly.
- Envision will implement whatever steps are necessary to mitigate and prevent future occurrences.
Any additional information that is received regarding this incident will be communicated as quickly as possible.