Wayward email leads to healthcare data breach for Wilmington city employees

Because the email was deleted, city officials deemed the incident ‘low risk’

Wayward email leads to healthcare data breach for Wilmington city employees

WILMINGTON, NC (WECT) - Email is no stranger to being linked to cases of identity theft and data breaches. Most of the time, the thief sends a phishing message that coaxes information out of the victim or brings along viruses or malware.

However, a single email led to the improper release of the information of 158 Wilmington city employees earlier this year.

According to documents obtained by WECT, an August insurance claims report from Blue Cross Blue Shield (BCBS) of North Carolina intended for Wilmington officials was accidentally sent to another municipality. That report included information for claims from those 158 employees that included social security numbers, the codes for their diagnoses and the dollar amounts of each claim and what was paid.

The employee working at the incorrect municipality reportedly deleted the email and notified BCBS, and in turn the company notified the city of Wilmington a few days before Hurricane Florence.

Every year, the city’s Red Flags Rules identity theft prevention program is required by law to give an update on the significant events, or red flags, that occurred in the previous year. Wilmington adopted the nationwide program in 2008.

In the report, the Red Flags committee says the city’s legal department was informed about the incident, but determined no further action was needed, and there was no need to inform the affected employees.

City spokesperson Malissa Talbert further clarified and said the file was password protected, and due to the email only being sent to one person, the city determined the breach was “low risk” and therefore did not merit anything further.

Austin Vevurka, a spokesperson from BCBS, said the report was actually an enrollment report, and the information disclosed did not constitute a breach of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which prohibits the unauthorized release of private health information.

When asked why the Red Flags administrator would have reported otherwise in the annual update, Vevurka did not respond.

Either way, Vevurka said, the company has taken steps to prevent other instances of this happening, and regrets the incident.

“Blue Cross NC takes the privacy of our members seriously and apologizes for the error,” Vevurka said in a statement. “The recipient quickly realized the error, informed us, and permanently deleted the file. We then notified the City of Wilmington and followed all of the reporting criteria required by HIPAA and our contract with the City of Wilmington. We have since taken steps to ensure this does not happen again.”

Copyright 2018 WECT. All rights reserved.