The Monday edition of the Arizona Republic contained a story with potential interest to our readers. On the most recent address labels of Banner Health's magazine, Smart & Healthy, the addressee's Social Security or Medicare identification numbers, which are often identical to their Social Security numbers (1). The magazine was mailed to more than 50,000 recipients in Arizona late last week.

The recipients are members of the Medicare Pioneer Accountable Care Organization, a government health-care plan that Banner serves. Banner generated its mailing list from information it received from the U.S. Centers for Medicare & Medicaid Services, which is an agency within the U.S. Department of Health & Human Services (HHS) responsible for administration of several federal health-care programs.

Although medical information has been protected by the Health Insurance Portability and Accountability Act (HIPAA) since 1996, penalties were recently increased. Civil monetary penalties were increased from a maximum of $100 to $50,000 per violation and the maximum aggregate increased from $25,000 for each violation to $1,500,000 per year. If multiple violations occur the penalties could exceed $1,500,000. Reflecting the increase in penalties, HHS fined BlueCross Blue Shield (BC&BS) of Tennessee $1.5 million in a case involving a breach that affected more than 1 million individuals (2). Locally, HHS fined a Phoenix cardiac surgery group $100,000 for posting patients' appointment information on an internet calendar that was available to the public (2).

Officials at HHS and Social Security Administration are looking into the matter (1). The $100,000 fine of the physician group in Arizona is likely a fairly sizable portion of their revenue. In contrast, the $1.5 million penalty paid by Tennessee BC&BS is less than 0.03% of their $5.6 billion revenue (3). Banner had total revenues of $4.9 billion and assets of $7.6 billion in 2012.

Richard A. Robbins, MD

References

1. Giblin P. Medicare IDs erroneously published. Arizona Republic. Available at: http://www.azcentral.com/news/arizona/articles/20140224medicare-ids-erroneously-published.html (accessed 2/27/14).
2. Anderson H. Arizona practice gets $100k HIPAA fine. Available at: http://www.govinfosecurity.com/arizona-practice-gets-100k-hipaa-fine-a-4686 (accessed 2/27/14).
3. Flessner D. BlueCross BlueShield of Tennessee earns record $221 million. Chattanooga Times Free Press Available at: http://www.timesfreepress.com/news/2013/apr/30/bluecross-earns-record-221-million/?business (accessed 2/27/14).
4. Ernst & Young. Banner Health Consolidated Financial Statements. Available at: https://www.bannerhealth.com/NR/rdonlyres/DD3E9650-00D6-4385-B12B-E96BBC4E9917/67703/_BannerHealthconsolidated201211_Final.pdf (accessed 2/27/14).

Reference as: Robbins RA. Banner prints social security numbers. Southwest J Pulm Crit Care. 2014;8(2):140-1. doi: http://dx.doi.org/10.13175/swjpcc027-14 PDF