Independent Health this week notified more than 500 members from the Williamsville Central School District that their protected health information was inadvertently attached to secure reports sent out over a two-year period, potentially exposing their names, member ID numbers and medical diagnosis codes and descriptions.
Independent Health spokesman Frank Sava said in a statement Friday that the insurer believes it is "extremely unlikely" any of the members' health information was accessed or misused because the recipients of the files work for business partners of HIPAA-covered entities that understand the requirements to keep data private.
“The embedded data that inadvertently remained in the secure report was due to human error and Independent Health has already implemented the necessary safety steps to address this and prevent further occurrences," Sava said. "Protecting our customers’ privacy and keeping their information secure is critically important to Independent Health and we deeply regret that this event occurred.”
Sava said the members' data that was mistakenly shared did not include Social Security numbers or any personal financial information. All affected members have been notified, he said, and Independent Health is arranging to provide them with two years of free identity protection and monitoring services.
Independent Health discovered the mistake during an Aug. 13 review, part of its regular safety and security protocols. In that review, the insurer found the protected health information for 541 members at the Williamsville school district, a self-funded plan client, had been embedded in a hidden cache in a secure report sent on a monthly basis to stop-loss carriers and brokers between August 2019 and this August.
Sava said the data was embedded in a way that made it "extremely difficult to discover."
If Williamsville school district members have questions, they can call 631-2661 or toll-free at 1-800-257-2753.
Jon Harris can be reached at 716-849-3482 or email@example.com.