than 13,000 Medicare beneficiaries were affected by 14 breaches of protected
health information between September 23, 2009, and December 31, 2011,
requiring notification under the American
Recovery and Reinvestment Act, according to a new report by the Department of Health and Human Services' Office of Inspector General (OIG).
For the most part the breaches
involved beneficiaries' names, Medicare identification numbers, dates of birth,
diagnoses, and services received. One breach affected 13,412 beneficiaries. This
breach involved a Medicare Summary Notice printing error by a Centers for
Medicare and Medicaid Services' (CMS) contractor, which caused the notices to
be sent to incorrect addresses. Ten breaches resulted from other mismailings or
from loss of documents during transit. In another 2 breaches, beneficiary
information was posted online. In the remaining breach, a CMS contractor
employee was arrested for stealing beneficiary information.
Although CMS notified all
beneficiaries affected by the 14 breaches, it failed to meet the Recovery Act’s
standard for timeliness for 7 of them. Notification letters for 6 of the
breaches did not explain how the contractors were investigating the breach,
mitigating losses, or protecting against further breaches. Moreover,
notification letters for half the breaches, including the largest breach, were
missing either the date the breach occurred or the date it was discovered.
Notification letters for 3 breaches did not include the types of unsecured
protected health information involved, contact procedures for individuals who
want to learn more, or steps individuals can take to protect themselves from
"CMS has made progress in
responding to medical identity theft by developing a compromised number
database for contractors," says the report. "However, the database's
usefulness could be improved."
Based on its findings, OIG recommends that CMS ensure
that breach notifications meet Recovery Act requirements, improve the
compromised number database, provide guidance to contractors about using
database information and implementing edits, develop a method for ensuring that
beneficiaries who are victims of medical identity theft retain access to needed
services, and develop a method for reissuing identification numbers to
beneficiaries affected by medical identity theft.