This week, a spokesperson for the Department of Managed Health Care confirmed that the agency in October 2011 posted confidential information on its website about eight individuals, Payers & Providers reports.
Until last year, DMHC posted copies of enforcement actions against health plans, medical groups and insurance agents on its website.
However, the agency halted the practice in October 2011, citing a website redesign and "errors" involving certain enforcement actions.
According to documents obtained by Payers & Providers, DMHC had posted confidential medical information for seven Medicare Advantage beneficiaries on the site. DMHC also had posted confidential information about one health insurance agent online.
The beneficiaries had provided information to DMHC about questionable practices by health insurance agents. The agent had been ordered by DMHC in 2011 to stop selling policies because of deceptive marking tactics and failure to disclose criminal convictions.
DMHC Confirms Breach
This week, DMHC spokesperson Marta Bortner confirmed that the breaches had occurred.
She said the data were normally posted for public view but were "insufficiently redacted." Bortner said the information was taken down in October, immediately after the error was discovered.
The confidential information relating to the MA beneficiaries included their physicians' names, their medical conditions and any medications they were taking.
A medical procedure also was disclosed for one of the beneficiaries who had filed a grievance against Anthem Blue Cross of California.
DMHC had posted the Social Security number, birth date and previous address of the insurance agent.
Documentation suggests that the confidential information could have remained on the site for as long as seven months, but in most instances it was posted for about a month starting in September 2011.
In November 2011, DMHC sent disclosure letters to the MA beneficiaries recommending that they monitor their explanations of benefits for unauthorized charges. The agency recommended that the insurance agent monitor his credit score.
At least one of the individuals has filed a lawsuit against DMHC over the breach.
DMHC has stopped posting ongoing enforcement actions on its website as a result of the breaches. The agency also has created new policies for redacting documents (Payers & Providers, 3/8).