Vendor error exposes data of more than 14,000 health plan participants
Brand New Day, a Medicare-approved health plan, is notifying 14,005 patients of a potential breach of electronic protected health information after an unauthorized access through a third-party vendor system.
On Dec. 28, Brand New Day discovered that an unauthorized user had accessed the ePHI provided to one of its HIPAA business associates on Dec. 22. The access occurred through a vendor system used by a contracted provider, officials said.
The accessed ePHI included names, addresses, phone numbers, dates of birth and Medicare ID numbers of members. The breach notification provided to the Office of the California Attorney General doesn't reveal whether the data was stolen.
The plan alerted the vendor to the unauthorized access issue, which was fixed within the day. Officials immediately launched an investigation and contacted the Department of Health and Human Services' Office of Civil Rights and the Office of the California Attorney General.
Brand New Day is currently reviewing its existing policies and procedures, which includes a self-audit to prevent a recurrence of this type of error, officials said. The company has also changed its practices regarding access, and all employees will be reminded of the importance of protecting patient data.
Plan members affected by the breach are being offered a year of free identity theft and mitigation services and credit monitoring.
"We sincerely regret that this unintentional disclosure of your protected health information as occurred and wish to assist you with any questions you may have," Brand New Day Compliance Officer Connie Snyder, said in a statement. "We take very seriously our role of safeguarding your personal information and using it in an appropriate manner. We apologize for this situation and are taking appropriate measures to prevent a reoccurrence."