Mailing Mistake Led to Impermissible Exposure of 19,570 Missouri Care Members’ PHI

September 1, 2018

A mistake in a mailing to Missouri Care members reminding them to book well-child visits has led to the unintentional exposure of the private information of nearly 20,000 kids to other Missouri Care members.
The private information described in the letters was restricted to kids’ names, ages, and the names of their provider’s. Health information and other confidential data were not disclosed, so the possibility for the information to be abused is little. Nevertheless, out of an abundance of caution, parents and lawful custodians of affected kids have been notified to check their credit card bills and account statements for any doubtful activity and told not to reply to any electronic mail requests asking for more private information. Free credit checking facilities have been offered to all people affected by the break.
WellCare Health Plans Inc. found the mistake on July 25, 2018 and started an inquiry to decide how the mistake happened and the people that were impacted. The mailing had been sent to 19,570 people, even though it is unclear how many of those letters were erroneously addressed.
The private information that was disclosed is categorized as protected health information under HIPAA, and as such, the disclosure of the information needs notices to be mailed to all affected people. As the occurrence involved more than 500 people, a media advertisement concerning the break was also necessary and was sent to the Kansas City Star.
In the letter, WellCare Health Plans VP and chief safety and secrecy officer said, “Missouri Care is acutely dedicated to safeguarding our members’ secrecy, and we express regret for any inconvenience this occurrence might have caused.”
WellCare Health Plans Inc., said policies and procedures for mailings have been revised and updated to avoid similar occurrences from happening in the time to come.
This is the second mis-mailing case to affect Missouri Care members in the previous year. A similar mis-mailing mistake happened in August 2017, which led to the unintentional exposure of the PHI of 1,223 plan members. In that instance, the mistake was made by a subcontractor used for the mailing.