Tufts Health Plan reports breach affecting 60,000 individuals

Tufts Health Plan, a Massachusetts-based health insurance company, reported a breach on November 25 that affected 60,545 individuals, according to the Office for Civil Rights (OCR) breach report.

The breach stems from a security incident at EyeMed, which manages vision benefits for Tufts Health Plan.

On July 1, EyeMed discovered that an unauthorized individual gained access to an EyeMed email mailbox and sent phishing emails to email address contained in the mailbox’s address book, according to a security notice posted on its website. EyeMed said it promptly blocked the unauthorized individual’s access, secured the mailbox, and launched an investigation into the incident.

The investigation determined that the exposed protected health information (PHI) and personal information of individuals may have included the following:

• Address
• Date of birth
• Driver’s license or other government identification number
• Email address
• Health insurance account/identification number
• Medicaid or Medicare number
• Phone number
• Vision insurance account/identification number
• Social Security numbers

EyeMed was not aware of any misuse of the information, but it mailed letters to affected individuals and established a dedicated call center to answer any questions individuals may have about the incident.

EyeMed also implemented extra security measures to its network and is providing additional security awareness training.

The letters mailed to individuals include an offer for free credit monitoring and identity protection services for two years, according to EyeMed. The company also encouraged affected individuals to review financial statements, credit reports, and statements received from their health insurers.