Insurance records of 71,000 Ga. families made public

April 8, 2008

Bill Hendrick, The Atlanta Journal-Constitution

Private records of up to 71,000 Georgia families who are members of health insurance programs for the poor or working poor were accidentally made available on the Internet for several days, and some of the data may have been viewed by unauthorized people, Tampa-based WellCare Health Plans Inc. said today.

Affected families are members of WellCare of Georgia, which is part of WellCare Health Plans, said WellCare spokeswoman Amy Knapp.

She said a human error allowed the information to be accessible for an unknown period of time, but that the secret data was removed from the Internet on April 2. It was not immediately known when the data breach occurred or how long the secret data was available.

The state of Georgia said it was notified March 31.

Knapp said there are 450,000 members of WellCare of Georgia. Those whose data was made available on the Internet included members of Medicaid, the federal health program for the poor, and PeachCare for Kids, a federal-state insurance plan for children of the working poor.

Knapp said letters were being sent to 71,000 Georgia families possibly affected.

WellCare of Georgia is a partnership between the Georgia Department of Community Health and private health care management organizations, she said.

She said about 10,500 members' Social Security numbers may have been viewed by unauthorized people on the Internet, all members of Medicaid or PeachCare.

"There is a possibility that an initial 59,000 members may have had some personal information made accessible, so we are notifying them as well, just to be safe," Knapp said.

A Web developer prepared a copy of a DCH report folder that was "to be deployed to our Georgia Web portal" but instead made it accessible on the Internet. She said at least 53 folders of names were accessed 248 times.

She also said it could not be determined which secret pages had been viewed.

WellCare said in a statement that it is believed the mistake involved "only our Georgia Families membership in Georgia, and not our Medicare, coordinated care, private fee-for-service or prescription drug plan membership."

"The files exposed did not contain credit card, debit card or financial account numbers," the WellCare statement said. "They may have contained personal identifying information, such as a member's name, birth date, dates of eligibility, Medicaid or PeachCare for Kids member identification number, Social Security number or other health plan related information.

"At this time, WellCare is not aware of any misuse of its member information due to the accidental exposure of the file on the Internet," the statement said. "WellCare is now notifying in writing the members who could have been affected by this incident. Members should receive those letters by the middle of this week."

The company also said it is offering to "pay for one year of credit monitoring for those individuals."

The state Department of Community Health said it had no comment on the breach, and that it could not say how many of the letters would go to PeachCare for Kids or Medicaid members.

Lisa Marie Shekell, a spokesman for DCH, said the state was notified of the mistake on March 31.

Mike Cotton, president of WellCare's Georgia region, said it "takes the privacy an security of personal information very seriously" and has retained a national information technology company "to perform a full assessment of its security and privacy controls.

WellCare provides managed care exercises exclusively for government-sponsored health care programs, focusing on Medicaid and Medicare. It offers a variety of health plans for families, children, the aged, blind and disabled, and has 2.3 million members nationwide.

Shekell said 237,437 Georgia families are members of PeachCare for Kids. She said it could not be immediately determined how many Georgia families are on Medicaid.

"Privacy and security of personal information is an essential in health care data systems," Shekell said. "We respect the expectations of our program members that their information be managed in the most secure manner and that they be informed if errors do occur."

She said the state "required WellCare to send out individual letters to notify affected members and provide them with information about credit monitoring services."

main page ATTRITION feedback