Blue Cross Privacy Error Upsets Clients; Jacksonville-Based Health Insurer Apologizes for Putting Clients' Social Security Numbers on Envelopes

Article excerpt

Byline: URVAKSH KARKARIA

It wasn't so much the letter from her insurance company that shattered one grandmother's sense of security. It was the white envelope it came in.

Life for the 64-year-old, who requested anonymity to protect her privacy, got a little more insecure after she reached for the Blue Cross and Blue Shield of Florida letter, the only piece of mail in her mailbox last Wednesday. The retiree's panic was over nine little numbers listed above her mailing address -- her Social Security number.

"I said 'What . . . are they doing [putting] my Social Security number in the mail like that," recalled the former Medicare auditor, who retired from Blue Cross after nearly three decades.

That question might have been asked many times over in the last week.

The retiree is one of 194 long-term care insurance policyholders whose Social Security number was inadvertently disclosed last month in a mailing that involved 1,900 such letters. The majority -- 137 -- of the improperly labeled letters went to Northeast Florida addresses.

All but six of the affected policyholders were Blue Cross employees, relatives of employees or retirees.

The Jacksonville-based health insurer fingered "human error" for the privacy faux pas and said it intends to inform affected policyholders of the labeling error.

Two years ago, Blue Cross voluntarily began to do away with Social Security-based policynumbers. The old IDs, however, were not updated for one group of customers. In addition, the policynumber field that should have been omitted from the label was still present, said Randy Kammer, the company's vice president of regulatory affairs and public policy.

"We made an error and we apologize," Kammer said Wednesday. "If people feel like they're damaged, they should come to us and tell us what they feel the nature of the damage was and see what we can do to make it right."

"But I don't think there is any damage."

But just in case, the insurer said it will pay affected policyholders any expenses involved in monitoring their credit reports.

Kammer refers to the error as case of "no harm, no foul," because all the affected letters were believed to have reached their recipients, since none were returned.

"There shouldn't be any identity theft unless you've got rogue postal carriers out there copying down numbers," she said.

The mailings in question, sent from subsidiary Florida Combined Life Insurance Company's long-term care division, requested policyholders to provide secondary contact information in case they were unable make payments on their policies. The cover letter sent with the mailings were dated Aug. 15, 2003, which Blue Cross said was a typographical error.

IDENTITY CRISIS

As conniving crooks seek ingenious ways to massage personal information from unsuspecting consumers, many Americans are becoming sensitive about who peeks at their private information.

Alpharetta, Ga.-based ChoicePoint Inc. revealed in February that thieves using stolen identities created 50 dummy businesses that pulled data including names, addresses and Social Security numbers on as many as 145,000 people. This spring, LexisNexis Inc. disclosed that hackers had commandeered a database and gained access to the personal files of as many as 310,000 people.

Florida had 16,062 victims of identity theft in 2004, compared with 246,570 nationwide, according to the Federal Trade Commission. Jacksonville had 709 victims of identity theft last year -- the fourth highest in the state. Miami topped the list, followed by Orlando and Tampa.

PRIVACY VIOLATION?

Blue Cross does not believe the labeling error is in violation of the Health Insurance Portability and Accountability Act's privacy rules since it didn't include the Social Security number with "willful neglect" and because corrective action was taken within 30 days of the problem being identified, Kammer said. …