Some Californians receive emails from health insurer with personal details exposed: potential CalINDEX implications?

This week the New York Times reported that some California members of health insurer Anthem Blue Cross received disturbing emails with exposed subject lines related to their sensitive medical information. From the article:

But the emails’ subject lines included member-specific demographic details like age range and language. They also listed possible medical screening tests — marked “Y” for recommended tests and “N” for tests not listed in the email.

One woman in California, for example, received an email with the following subject line:

Don’t miss out — call your doctor today; PlanState: CA; Segment: Individual; Age: Female Older; Language: EN; CervCancer3yr: N; CervCancer5yr: Y; Mammogram: N; Colonoscopy: N (article link)

These emails are troubling on two important fronts.

First, the disclosure of this sensitive information is disturbing in and of itself. It could lead to poor consequences for individuals who may have had their emails go through employers or be in the public domain in other ways. The article discusses some of the broader reasons why these disclosures are an issue.

But second, Anthem Blue Cross is one of the companies behind CalINDEX — a splashy plan announced this summer to put millions of Blue Cross members’ health information in a state-wide information exchange so the records could be shared among health care providers across the state. The CalINDEX would potentially involve roughly a quarter of Californians’ sensitive health information.

Very little is known about CalINDEX yet, but a few details have been eked out in the press. An early story indicated that CalINDEX is set to go live at the end of 2014, and would potentially include 9 million enrollees’ data:

Anthem and Blue Shield will provide secure access to 9 million enrollees’ insurance data and clinical records on the exchange – and will have it go live by the end of the year. Modeled after a public utility, the California Integrated Data Exchange (Cal Index) will be open to any health data contributor. It will provide the data and technology platform to improve quality of care through a statewide resource of integrated patient information and help patients transition between health plans or across health systems.” (Sacramento Business Journal, August 6, 2014)

Data security is a formidable issue in the health care arena. Missteps lead to significant liability and consequences. In a CalINDEX press release from August, the group approached this issue by stating that “The Cal INDEX system is highly secure, using advanced and up-to-date security systems including physically secured systems, complex passwords and modern encryption techniques.” (Business Wire, August 5, 2014).

While Anthem’s email lapse is not yet a CalINDEX lapse, as one of the founding companies, the lapse needs to be considered both in terms of what Anthem needs to do right now for its members, and in the larger frame of CalINDEX. We want to believe that CalINDEX will be highly secure, but our security and privacy concerns about a system that will be as complex and nuanced as CalINDEX have just increased substantially. We want to see a great many more details about CalINDEX’s security and privacy provisions, and we would also like to see an explanation of what is being done technically and procedurally to ensure this kind of email lapse will not occur in CalINDEX.


Related Information:

Articles about CalINDEX:

Medical privacy tips and resources: