AdminisTEP

The covered entity’s (CE) print and mail sorting vendor, Administep, improperly stuffed and mailed letters which contained other enrollees’ names, addresses, subscriber identifications, claims amounts, and service descriptions. The breach affected approximately 4,469 of the CE’s enrollees. The CE provided breach notification to HHS, the media, and affected individuals, and offered individuals free one-year identity theft protection services. In response to the incident, the CE provided evidence that it placed the business associate (BA) responsible for the breach on a corrective action plan which required the BA to complete a documented quality assurance check for each new implementation or modification of a mailing project. This includes administrative sign- offs and ongoing, random audits on a sample of envelopes for each project. OCR obtained assurances that the CE implemented the corrective actions listed.
Location of breached information: Paper/Films
Business associate present: Yes