The other day, in blogging about recent updates to HHS’s breach tool, I noted an entry from Delta Dental of Pennsylvania involving ZDI:
Delta Dental of Pennsylvania reported that their business associate, ZDI, suffered a breach involving the loss of paper records for 14,829 patients. The breach occurred on March 20. I was unable to find any notice on Delta Dental’s web site, and was unable to find any site for ZDI. An email sent to Delta Dental received no response as of the time of this posting.
Delta Dental of Pennsylvania contacted to me today, and here is their statement about the incident, dated April 26, 2013:
Delta Dental of Pennsylvania notifies Select Medical employees of mailing mishap
MECHANICSBURG, PA. — Delta Dental of Pennsylvania notified 14,829 employees of Select Medical Corporation that a mailing to their employer arrived with pages missing that contained enrollees’ personal information.
The incident, which was discovered on March 25, 2013, resulted from a March 20 invoice mailing to Select Medical. Select Medical notified Delta Dental that the envelope, sent USPS Priority Mail by Delta Dental’s mailing vendor, arrived opened and with pages missing that contained employees’ names and Social Security numbers. No other information (such as address or date of birth) was disclosed.
As soon as it was notified about the missing pages, Delta Dental immediately began an investigation but was unable to determine whether the envelope was inappropriately sealed by the mailing vendor, whether the envelope sealant failed, or whether the envelope otherwise opened during transit through the U.S. Postal Service. Delta Dental also notified the U.S. Postal Service about the incident.
Although Delta Dental believes the risk of exposure is limited, it is providing free credit monitoring to all enrollees whose names were included in the invoice, even those whose names were on the pages received by Select Medical. In addition, to further reduce the likelihood of such an incident occurring in the future, the company is reviewing its current practices and procedures to optimize the security of personal information for all Delta Dental plan subscribers.
“Delta Dental takes seriously its role to safeguard personal information and sincerely apologizes for any inconvenience to Select Medical and any of its employees who were impacted by this unusual incident,” said Michael Hankinson, Delta Dental’s chief compliance officer. “We sincerely regret that this has happened, and we are committed to prevent such occurrences in the future.”
Note that ZDI, the mailing vendor, was not named in their statement. Delta Dental’s spokesperson explained that ZDI isn’t named in the press release “because Delta Dental takes responsibility for this unintended disclosure. We also have made some internal changes to our invoicing policies to prevent a similar occurrence in the future.”
In a week where I’m seeing a lot of breached entities blaming others or accusing others for their breaches, it’s refreshing to read an entity forthrightly take responsibility for a breach.