Insurer Erroneously Discloses Confidential Patient Information

According to news accounts, Blue Cross Blue Shield of Georgia (“BCBS of Georgia”) recently sent more than 200,000 benefits letters (e.g., EOBs) to incorrect recipients, causing widespread concern among BCBS of Georgia’s patients and forcing the insurer to quickly rollout a mitigation plan.

The Atlanta Journal-Constitution reports that most of the erroneous mailings were EOBs. It further states, quoting BCBS of Georgia’s spokesperson, that a “small percentage” of letters also contained the patients’ Social Security numbers. The Atlanta Journal-Constitution further indicates that “Blue Cross said the mix-up was caused by a change in the computer system that was not properly tested.”

As most providers know, an EOB (or “explanation of benefits”) is a document, which is prepared by a health insurer and forwarded to the respective provider and patient. An EOB results from a healthcare claim adjudication and the patient’s EOB typically contains various details including:

  • Patient’s full name and address;
  • All healthcare services provided by the healthcare provider to the patient during the particular visit;
  • Certain information regarding patient’s diagnosis; and
  • Insurance reimbursement details. .

BCBS of Georgia is certainly not alone in its inadvertent disclosure of confidential patient information. Faithful readers of this blog may recall our discussion of BCBS of New Jersey’s notification of security breach earlier this year.

The BCBS of New Jersey matter (unlike the present one involving BCBS of Georgia) involved the insurer’s loss of control over certain electronic data (including patient electronic PHI). Since it involved an electronic security breach, it implicated the state’s security breach notification law. While Georgia has a law that is similar to New Jersey’s law (see our spreadsheet containing state-specific details), Georgia’s data breach security law is probably not implicated since BCBS of Georgia’s disclosure did not involve electronic data. Nevertheless, this scenario would seem to implicate HIPAA.

Disclaimer: The information contained within the MTBC® Learning Center is provided for general educational and informational purposes only and should not be construed as legal advice. The author of the Learning Center does not represent the Web site user or the individual submitting a particular question. Please seek the advice of legal counsel to address any specific questions you may have regarding your particular facts or circumstances