More than 13,000 Medicare beneficiaries were affected by 14 breaches of protected health information between September 23, 2009, and December 31, 2011, requiring notification under the American Recovery and Reinvestment Act, according to a new report by the Department of Health and Human Services' Office of Inspector General (OIG).

For the most part the breaches involved beneficiaries' names, Medicare identification numbers, dates of birth, diagnoses, and services received. One breach affected 13,412 beneficiaries. This breach involved a Medicare Summary Notice printing error by a Centers for Medicare and Medicaid Services' (CMS) contractor, which caused the notices to be sent to incorrect addresses. Ten breaches resulted from other mismailings or from loss of documents during transit. In another 2 breaches, beneficiary information was posted online. In the remaining breach, a CMS contractor employee was arrested for stealing beneficiary information.

Although CMS notified all beneficiaries affected by the 14 breaches, it failed to meet the Recovery Act’s standard for timeliness for 7 of them. Notification letters for 6 of the breaches did not explain how the contractors were investigating the breach, mitigating losses, or protecting against further breaches. Moreover, notification letters for half the breaches, including the largest breach, were missing either the date the breach occurred or the date it was discovered. Notification letters for 3 breaches did not include the types of unsecured protected health information involved, contact procedures for individuals who want to learn more, or steps individuals can take to protect themselves from harm.

"CMS has made progress in responding to medical identity theft by developing a compromised number database for contractors," says the report. "However, the database's usefulness could be improved."  

Based on its findings, OIG recommends that CMS ensure that breach notifications meet Recovery Act requirements, improve the compromised number database, provide guidance to contractors about using database information and implementing edits, develop a method for ensuring that beneficiaries who are victims of medical identity theft retain access to needed services, and develop a method for reissuing identification numbers to beneficiaries affected by medical identity theft.