Poor system testing caused a medical records privacy breach affecting over 200,000 members of Georgia Blue Cross and Blue Shield. The case has implications for both consumer privacy and IT's impact on business operations.
In an emailed statement, Blue Cross spokesperson, Cindy Sanders, said:
[A] mailing of Explanation of Benefits (EOB) letters included EOBs sent to incorrect addresses. These EOBs may have included protected health or personal information. We are currently assessing how many people may have been affected by this incident and we will quickly notify impacted members and send them the correct EOB.
The Atlanta Journal-Constitution reports that Blue Cross blames "a change in the computer system that was not properly tested." During a phone call, I asked Sanders for details; her vague response, "We are still going through the situation and assessing it right now."
Commenting on the privacy breach, Georgia's Insurance Commissioner, John Oxendine, told WALB television:
This is a very serious breach. It's the worst breach of health care privacy I've seen in my 14 years in office. Obviously it was unintentional but it's a violation of both state and federal law.
THE PROJECT FAILURES ANALYSIS
This case is significant for two reasons: most importantly, it demonstrates the need for stricter regulation regarding how organizations handle confidential consumer data. Additionally, the situation provides a clear example of the link between an organization's technical practices and overall business operations.
On the privacy side, data breaches resulting from poor practice or carelessness are common. I continue to believe stricter government regulation and enforcement is required to solve this problem. Consumers will continue to be screwed until governments become more involved.
From an IT perspective, this data breach demonstrates how backend systems and procedures, such as software quality assurance, can directly affect business activities. Although we don't have much detail, it appears Blue Cross didn't properly test an upgrade or other code change before deployment. We don't know whether this lapse was a one-time mistake or represents a deeper systemic IT issue inside Blue Cross.
Sanders emailed statement suggests the problem was straightforward enough to identify and fix quickly:
This was an isolated incident and will not impact future EOB mailings. As soon as we became aware of the mailing error, we worked to determine the exact cause and we have made changes to prevent it from happening again in the future.
Since Blue Cross knows why the problem occurred, they should be more forthcoming to the public. Sanders added no new information in response to my follow up request for more details:
There was a system change that was not comprehensively tested. We have already made changes to prevent it from happening in the future.
In my view, that response is completely unhelpful and doesn't recognize the substantial threat of identity theft many Georgia Blue Cross subscribers now face.