The following is a recently reported personally identifiable information (PII) data breach involving
a private medical insurance company that improperly handled PII. Incidents such as this will be reported in each edition of CHIPS to increase PII awareness. Names have been changed or omitted, but details are factual and based on reports sent to the Department of the Navy Chief Information Officer (DON CIO) Privacy Office.
The spouse of a non-appropriated fund (NAF) employee requested a waiver from a medical insurance company for medicine not carried in the Department of Defense formulary. When the spouse did not receive the waiver as expected, it was discovered that the waiver was sent to an incorrect fax number. The medical insurance company’s pharmacy reviewer sent the information to a private business. The individual who received the fax stated that the private business had been mistakenly getting faxes from the medical insurance company for the past three years and had tried unsuccessfully to correct the problem. The individual said the faxed documents sometimes contained personal health information (PHI), as well as Social Security numbers (SSN) and other PII.
The Office of the Secretary of Defense (OSD) Privacy Office was notified of the potential breach. The DON Privacy Office was later contacted because at least one of the individuals affected was a Navy NAF employee. Because the breach affected multiple services, the DON and OSD privacy offices worked through the breach process with the medical insurance company. The fax number used by the medical insurance company was immediately corrected. The individual at the private business stated that he shredded all the information that was received and never used it for any purpose before it was destroyed. Known individuals who were affected were notified of the breach.
Faxing is prone to human error and is one of the least secure means of transmitting PHI and PII.
Steps that should always be taken include:
- Double check the fax number to ensure it is correct;
- Notify the individual that is to receive your fax that you are about to transmit PII or PHI; and
- After sending the fax, contact the individual to confirm secure receipt of the information.
Effective Oct. 1, 2012, in accordance with the DON SSN Reduction Phase Three policy message DON CIO DTG 171625Z Feb 12, the use of fax machines is prohibited when sending documents containing SSNs and other PII by DON personnel.
External customers such as service veterans, Air Force and Army personnel, family members and retirees may continue to fax documents containing an SSN to DON activities but are strongly encouraged to use an alternative means, including the U.S. Postal Service, encrypted email (WINZIP is an authorized encryption method) and the Safe Access File Exchange (SAFE). For details about
SAFE, visit: www.doncio.navy.mil/ContentView.aspx?id=4098.
Steve Muck is the Department of the Navy privacy lead.