SilverScript Insurance Company

Letters for 852 prospective new members of the covered entity (CE), SilverScript Insurance Company Part D plan, were misdirected to incorrect addresses. SilverScript is a wholly-owned subsidiary of CVS Health, formerly CVS Caremark. The CE reported that the root cause of the incident was that the eligibility data file received from Northgate Arinso, a third party vendor of Energy Future Holdings, was inaccurate. The data file contained multiple, incorrect addresses, resulting in protected health information (PHI) being disclosed to other members. The letters contained members’ names, addresses, identification numbers, and group numbers and informed the members that such information could be taken to a pharmacy and used to process pharmacy claims. The CE provided breach notification to HHS, affected individuals, and the media. Following the breach, CVS Health implemented additional quality control measures to verify information received from third parties. OCR obtained and reviewed documentation regarding the implementation of those additional quality control measures.
Location of breached information: Paper/Films
Business associate present: No