On April 13, 2018, Blue Shield of California submitted a HIPAA Email Breach to the U.S. Department of Health and Human Services (HHS). Based in San Francisco, California, Blue Shield of California's email breach affected 1717 individuals’ protected health information. Blue Shield of California is classified as a Health Plan.
According to Blue Shield of California's statement:
On March 23, 2018, the Blue Shield of California (Blue Shield) Privacy Office received confirmation that your Protected Health Information had been shared with an insurance broker who was not authorized to receive it. The disclosure occurred in November 2017, during the 2018 Medicare Annual Enrollment Period, when a Blue Shield employee emailed a document containing your PHI to an insurance broker in violation of Blue Shield policies. We sincerely apologize for this incident and regret any inconvenience it may cause you. The Protected Health Information (PHI) disclosed included only the following: your name, home address, mailing address, Blue Shield subscriber identification number, telephone number, and the name of the Blue Shield Medicare Advantage plan you were enrolled in at the time. Blue Shield began its investigation into this matter in mid-January 2018. We believe that the broker who received your PHI may have used it to contact you for purposes of selling you a Medicare Advantage Plan offered by another health insurance company. Blue Shield has reported this matter to the Centers for Medicare and Medicaid Services (CMS), which oversees the Medicare program. We have taken disciplinary action against the employees who were responsible for sending your PHI to the insurance broker. Our Medicare sales staff is being re-trained on the appropriate use and disclosure of member PHI. Blue Shield takes this incident seriously and is committed to maintaining your privacy.
The HHS Wall of Shame is a website under the jurisdiction of HHS that lists all HIPAA breaches reported within the last 24 months. The Wall of Shame displays breaches that are currently under investigation by the Office for Civil Rights. As part of section 13402(e)(4) of the HITECH Act, the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame.