The personal information belonging to members of TRH Health Plan, a not-for-profit service, was inappropriately used in a marketing campaign by its administrative partner, BlueCross BlueShield of Tennessee (BCBST).

How many victims? Roughly 80,000 members.

What type of personal information? Names and addresses.

What happened? The member data was shared internally with the BCBST marketing team, in addition to being sent to a third-party that created mailings geared toward the BlueCross Medicare Advantage mail marketing campaign, a violation of the Health Insurance Portability and Accountability Act (HIPAA).

What was the response? Investigations were conducted by both TRH and BCBST into the data misuse and the personal data shared with the marketing team and third-party was destroyed. Members whose data was involved in the breach were mailed letters addressing the incident on Jan. 9.

Details: After members received mailings related to the campaign, they contacted TRH with questions, which initially brought attention to the incident. In order to stop mailings from occurring, BCBST contacted the printer. TRH believes that members should not be concerned regarding the security of their information.

Quote: “This is an isolated incident. It’s different from a lot of the breaches (in the news recently) where hackers, who have stolen content, have bad intent. In this case we know who had the information and where it went,” Ryan Brown, general counsel at TRH in Columbia.

Source: tennessean.com, The Tennessean, “BlueCross BlueShield mailing violates act,” January 13, 2015.