Providence Health Plan business associate Zipari in April notified the health insurer that a coding error allowed unauthorized users to access certain unencrypted enrollment documents for small group health plan members.
Portland, Ore.-based Providence Health Plan reported the security incident to HHS on June 16 as impacting 49,511 members. After discovering the incident on April 9, Zipari launched an investigation and found that certain Providence Health Plan enrollment documents were accessed by unauthorized IP addresses in May, September and November of 2019.
Information accessed was limited to small employer group renewals, including employer names, member names and member dates of birth. No medical history, health information, Social Security numbers or financial information was exposed.
Providence Health Plan had hired Zipari to prepare enrollment documents for employer-sponsored plans in the small group market. The tech services company fixed the coding error and has implemented additional access controls to prevent unauthorized access to files, according to a notice published on Providence Health Plan's website.
Providence Health Plan is offering identity theft protection services to individuals affected by the incident and is arranging a third-party audit of Zipari's data security practices.