The Health Flexible Spending Account records of 13,000 Virginia state employees were erroneously sent last month to the wrong human resources or payroll officials … who should have received information only for their own locations.
An insurance subcontractor electronically distributed the confidential health records, which included the employees’ names and Social Security numbers. The exposure of private information was not due to a hacker—but was instead caused by human error.
Laurie Turpin is not pleased that her husband’s records were exposed.
“My concern is that people I may or may not know, know about me, what health issues we have, and have had access to my husband’s Social Security number. So now we have to protect ourselves from fraud. I think that’s a violation of privacy that shouldn’t have happened.”
Five of the HR employees opened the records. The Department of Human Resource Management’s Anne Waring says when the state was notified, it took action.
“All 11 signed and returned to us a written certification that any of that information that had come to them in error they had either destroyed or deleted. These people are authorized to receive this information for their location and their agency. It’s just that they received the entire participant list in error.”
The state sent letters informing affected employees with an offer for free credit monitoring. Waring says new steps to minimize risk of future exposure include omitting Social Security numbers on all records.