Oscar Health experienced a data breach it’s blaming on a printing vendor, the company disclosed Friday.
The health insurance company discovered on Nov. 23 that mail intended for some California policyholders may have been sent to the wrong customers. The letters include member names, provider information, dates of service, and types of procedures and services. Oscar Health didn’t name the vendor it says is responsible.
The paperwork doesn’t include Social Security numbers, driver’s license numbers or any financial information, according to a notice from Oscar Health.
Oscar Health determined the incident likely occurred between Oct. 28 and Nov. 16 and has “taken steps to address the matter with our print vendor,” the company reported.
Oscar Health did not respond to questions about what steps it has taken, the name of the vendor or how many members’ data were exposed.
“While we do not believe there has been a misuse of any personal information, we are notifying our affected members out of an abundance of caution,” the insurer’s notice says. “All mailings that may have been impacted by this incident have been re-sent accordingly. Additionally, we have sent individual notices to those members whose personal information was impacted by the event.”
At the time this article published, the incident had not been posted to the breach portal maintained by the Health and Human Services Department’s Office for Civil Rights. Under the Health Insurance Portability and Accountability Act, healthcare providers and insurers are required to disclose breaches affecting at least 500 people within 60 days of discovering them.
Oscar Health, founded in 2012, was one of four insurtechs to go public last year. The company had nearly 600,000 individual, family, Medicare Advantage and small-group plans policyholders as of September. The insurer also sells its technology platform to other payers and providers.
More healthcare data breaches occurred last year than any prior year on record, according to a review of data reported to the HHS portal. Through mid-December, HIPAA-covered entities reported 664 incidents, more than in all of 2020.