'Human error' exposes patients' Social Security numbers in N.C.

February 7, 2006

By Jaikumar Vijayan

http://www.computerworld.com/securitytopics/security/privacy/story/ 0,10801,108444,00.html

A "human error" at Blue Cross and Blue Shield of North Carolina allowed the Social Security numbers of more than 600 members to be printed on the mailing labels of envelopes sent to them with information about a new insurance plan.

The mistake affected patients who had applied for a new health savings account insurance plan, said Gayle Tuttle, a spokeswoman for the Chapel Hill, N.C.-based insurer. "The mailing label on a welcome letter that we sent out to 629 people enrolled in one of our individual insurance plans contained an 11-digit tracking number, nine of which were the members. Social Security numbers," Tuttle said. "The release of this information is the result of a regrettable human error."

As part of a broader bid to enhance privacy, Blue Cross has been using a new subscriber number instead of Social Security numbers to identify patients, Tuttle said. Even so, there is still a "linking" that goes on internally between the subscriber IDs and Social Security numbers that may have contributed to the error, she said.

The problem was discovered on Jan. 30, and letters were sent to the affected individuals on Feb. 1 informing them of the breach and instructing them to check for fraudulent activity with the major credit reporting bureaus. "We are taking this very seriously," Tuttle said. "But this affects only a very tiny percentage of our members."

Following the incident, Blue Cross is looking at its internal processes and procedures to see how such mistakes can be avoided in future, Tuttle said.

The incident at Blue Cross is similar to one involving The Boston Globe last week and another case involving tax preparer H&R Block Inc. in Kansas City, Mo.

In the Globe incident (see . Newspapers. Exposure of Data Points Out Hidden Risks.), confidential information belonging to more than 200,000 subscribers was inadvertently exposed when the Worcester Telegram & Gazette, a sister publication in Worcester, Mass., reused paper containing their names, credit card numbers and bank account information to print routing labels that were attached to bundles of newspapers.

In the H&R Block case, the company accidentally embedded Social Security numbers in a 47-digit tracking number on packages used to mail free copies of the company.s TaxCut tax preparation software in mid-December. The problem was reported to the company by an affected individual shortly thereafter, and letters were sent to all affected persons on Dec. 22, said H&R Block spokeswoman Denise Sposato.

The problem was the result of an .inadvertent human error. and affected only a small percentage of former H&R Block clients, she said.

"The Social Security numbers were embedded within this 47-digit string. They were not broken out in any way shape or form," making it extremely difficult for anyone to even notice the error, Sposato said. In fact, less than 10 of the affected individuals detected the problem on their own, she said.

"We've been around for over 50 years, so if anybody knows about the sensitivity and confidentiality of financial data, it is H&R Block," Sposato said. "This was totally contrary to H&R Block's policies and procedures."

Since the incident, H&R Block has completed an investigation into what happened and has fixed the problem. She did not offer further details.

[an error occurred while processing this directive]