California customers of Anthem Blue Cross received emails from the insurer Monday containing member-specific information in the subject line, according to The New York Times. The information included a customer age descriptor, primary language spoken and recommended health screening tests. It's unclear if this incident will trigger data breach notification requirements under California law or HIPAA. California's breach notification law requires organizations to submit a copy of their breach notices to the attorney general when more than 500 Californians are affected.
"This information is certainly sensitive," one recipient told a reporter. "A call for certain tests, and frequency, could indicate a health problem."
In response to the issue at hand, Kristin Binns, a spokeswoman for Anthem, told FierceHealthPayer in an email Wednesday that "a vendor recently sent emails on our behalf to certain members encouraging them to proactively take control of their health and seek appropriate preventive screenings. While the emails were sent to the intended recipients, they inadvertently contained information about recommended preventative screenings in the subject line. Neither the email nor the subject line contained detailed member information such as diagnoses, test results or financial information."
Anthem has managed information security breaches before, The Times reported. In 2012, the insurer settled a lawsuit brought by the state's attorney general after the company mailed letters in envelopes that exposed the Social Security numbers of 33,000 people. And last year, the company sent data breach notices to doctors informing them that their protected information was inadvertently displayed on the corporate website.
This latest incident highlights the security risks of sending patient-specific health information to personal email accounts, The Times noted.
"Hospitals have moved away from using ordinary email because there are all sorts of ways in which it can be compromised, intercepted in transit, or seen by your email provider," data security and privacy expert Jonathan Mayer told the newspaper. "It's especially bad when the information is in the subject line because who knows where that could pop up."
Recognizing these risks, many hospitals have started using more secure communications channels such as online portals requiring patients to log in for customized health messages and test recommendations, The Times noted.
- read The New York Times article