City of Henderson Data Breach (2012)

The City of Henderson in Kentucky notified HHS that 1,008 were affected by a breach that began or occurred on June 28, 2012 and that was discovered on March 3, 2014. The incident involved a business associate, Keystone Insurers Group. The city kindly provided PHIprivacy.net with a copy of the legal notice they posted in The Henderson Gleaner on May 9, 2014: In 2012, the City of Henderson, Kentuckys health benefit plan (Plan) began exploring the possibility of opening a health clinic for its employees and their dependents to try to reduce health plan costs, and began providing information to its broker to help with this process. On several occasions between January 23, 2013 and March 3, 2014, the broker shared data from the Plan with several health care providers (and one business associate of a provider) who were being considered as possible partners with the City in development of such a clinic. On March 11, 2014, the City learned that the data shared with these potential partners included its Plan Participants detailed individually identifiable health information. The City has conducted an investigation and concluded that more health information was disclosed than was minimally necessary to obtain proposals for the health clinic, although there is no reason to believe the information was misused in any way. The information released to the broker and then to the providers included names of Plan participants, insurance ID numbers, addresses, gender, birthdate, and information about the treatment, diagnosis, prescriptions, expenses, providers, and workers compensation claims (if applicable) of Plan Participants. The City has no reason to believe that your information has been misused or disclosed inappropriately by anyone who received it. All the recipients are required to comply with the federal Health Insurance Portability and Accountability Act (HIPAA) privacy law and protect the information they received. In addition, all of them have assured us that they have not forwarded the information to anyone else (other than the business associate, who forwarded the information to one of the providers). We have asked the recipients to destroy any copies of the information they may have had in their files. Nevertheless, in an abundance of caution, we are in the process of sending notification letters to those persons affected so that they may take any extra precautions that they might consider to be necessary. The City is treating this matter very seriously and is working to ensure something like this does not happen again. It has put procedures in place to assure only the minimum amount of your health information is used, disclosed or requested for its future administrative needs, and it has asked its broker to provide us with assurances that its employees have received adequate training on all applicable HIPAA requirements. The safety and security of your health information are among the Citys and the Plans highest priorities. Even though the City has no evidence that Plan Participant information has been misused, it encourages Plan Participants to review carefully all regular and electronic correspondence received from UMR (the company that processes the Plans health care claims) for unauthorized activity, such as claims paid out of the HRA that Participants do not recognize, or an explanation of benefits detailing treatment Participants did not receive. If you have other questions concerning your health information, please contact Dawn S. Kelsey, City Attorney, at 270-831-1200, City of Henderson, P.O. Box 716, Henderson, KY 42419-0716.