In one of his final acts as insurance commissioner, Matt Denn fined Blue Cross Blue Shield of Delaware $150,000 on Wednesday for improperly disclosing the private medical information of about 3,800 Delaware members.

The information went to other insurance company subscribers on the back of
their own forms. Attorneys for Blue Cross asked Denn, the lieutenant
governor-elect, to waive any fines at the end of a 75-minute hearing
Wednesday at the Carvel State Office Building in Wilmington.

But there was no Christmas grace. Denn said he issued his ruling because
Blue Cross violated two insurance department regulations.

"I decided to do it because of the seriousness of disclosing personal
information and the fact that it was something that reasonably could
have been avoided," Denn said. "I wanted to create a strong incentive
for them to put a new policy into place."

Blue Cross can get the fine dropped by demonstrating that it has a system in
place to prevent the same type of error from recurring. Policyholders
will not be impacted by the fine, Denn said, since it must come from
Blue Cross’ reserves.

The error was limited to explanation-of-benefits forms, which are sent to members by their provider explaining exactly what will or will not be covered. One or more Blue Cross printers fell out of sequence on Nov. 19, resulting in
the error.

One side of the forms contained the member’s correct name, but the other side had the name and address of another member and information about his or her medical treatment.

The medical information disclosed was described in general terms and did not include Social Security numbers, Blue Cross said.

Abuse is possible, even without Social Security numbers, said Judy Dugan,
research director for Consumer Watchdog, a California-based nonprofit
organization that protects the interests of consumers.

"If you’ve got the records of someone you knew who you did business with, there’s always a chance that some dishonest use could be done," she
said. "Patients’ records that have been stolen have been held hostage
for ransom before."

William Jones Jr., head of the Blue Cross information technology section, testified that Blue Cross did not have a comprehensive, written information security program in place before the error occurred.

Later during the hearing, Karen Kane, counsel for Blue Cross, testified that Blue Cross did have that type of program, but it did not address such procedures as "how to complete a print run."

Blue Cross violated state insurance regulations requiring insurance companies to not disclose "any nonpublic personal financial information about a consumer to a nonaffiliated third party" and to "implement a
comprehensive written information security program that includes
administrative, technical and physical safeguards for the protection of
customer information."

Blue Cross, which processes about 3.4 million EOB forms each year, notified the insurance department of the error in early December after being alerted by
consumers.

No victimized Blue Cross member came forward as a witness. Attorney Herb Mondros said more people would have testified had the hearing not occurred the day before Christmas.

It is the first major privacy violation by an insurer in Denn’s four years
in office. Most formal hearings with the insurance commissioner involve
smaller numbers of consumers or general business practices, not problems of this magnitude.

Contact Hiran Ratnayake at 324-2547 or [email protected]