Oscar Health said on Friday that there was a data breach that it blames on a printing supplier.
On November 23, a health insurance company discovered that mail intended for some California insurers may have been sent to the wrong customers. The letters include names of participants, provider information, dates of services, and types of treatments and services. Oscar Health did not name the provider it says is responsible.
The documents do not include social security numbers, driver’s license numbers, or any financial information. notification from Oscar Health.
Oscar Health has determined that the incident likely occurred between October 28 and November 16 and has “taken steps to resolve the issue with our printing service provider,” the company said.
Oscar Health did not respond to questions about what steps it has taken, the name of the provider, or how much participant data has been disclosed.
“While we do not believe that any personal information has been misused, we are notifying our affected members out of great care,” the insurance company said in a notice. “All mailings that may have been affected by this incident have been resent accordingly. In addition, we sent separate notices to those participants whose personal information was affected by this event.”
At the time of this article’s publication, the incident had not been published in breach portal supported by the Office of Civil Rights of the Department of Health and Human Services. Under the Health Insurance Portability and Accountability Act, health care providers and insurers are required to report violations affecting at least 500 people within 60 days of discovery.
Oscar Health, founded in 2012, was one of four insurance companies that went public last year. As of September, the company had about 600,000 individual, family, Medicare Advantage, and small group policies. The insurer also sells its technology platform to other payers and providers.
According to a review of data provided by the HHS portal, there have been more medical data breaches in the past year than in any other previous year. By mid-December, HIPAA covered organizations had reported 664 incidents, more than in all of 2020.