Date Reported:
4/23/08

Organization:
University of Texas System

Contractor/Consultant/Branch:
University of Texas Health Science Center at Tyler
The CBE Group Inc.

Victims:
Patients

Number Affected:
Unknown*

*Roughly 2,000 medical bills were mailed, but the number of patients is not reported.  Some patients may have received multiple bills.

Types of Data:
Names, addresses, and Social Security numbers

Breach Description:
"Some 2,000 medical bills were mailed around East Texas last week with patients' Social Security numbers visible on the envelope after a technical glitch skewed billing at the collection agency used by the University of Texas Health Science Center at Tyler. "

Reference URL:
Tyler Morning Telegraph

Report Credit:
Lauren Grover, Tyler Morning Telegraph with a special thanks to Attrition.org

Response:
From the online source cited above:

Some 2,000 medical bills were mailed around East Texas last week with patients' Social Security numbers visible on the envelope after a technical glitch skewed billing at the collection agency used by the University of Texas Health Science Center at Tyler.
[Evan] Why is it necessary to send someone a piece of mail with their Social Security number on it?  The person receiving the bill probably already knows their Social Security number.

Chief Operating Officer Rob Marshall at UTHSCT said the problem was quickly addressed and fixed, but his disappointment in collection agency CBE Group Inc. might not be repairable.

"We're in negotiations ... I can't confirm or deny that we'll be with (CBE) in the future," he said Tuesday evening. "But we do have a different set of rules on handling issues like this and have already said how to safeguard this in the future."
[Evan] Is UTHSCT planning on sending a separate notification mailing to the people affected?  No mention in the article.

The number of area residents whose numbers were exposed isn't known because multiple bills could have gone to one patient, said spokeswoman Rhonda Scoby.

The Social Security numbers were never floating around the public, but were sent from secure sites at UTHSCT to CBE and then straight to the post office and to the patient's home, she said.
[Evan] There are a few more steps along the way, such as post office routing and delivery.  It used to be safer to send confidential information in the mail.  Not so anymore.

The hospital is taking full responsibility for the error and asking all affected patients to contact their business office, Marshall said.
[Evan] The UTHSCT business office can be contacted by calling (903) 877-7172.

"It was a small glitch that we absolutely own up to and want to be able to take care of anyone who has issue as a result," he said.
[Evan] Then at the very least, put something on the UTHSCT web site for affected people to refer to (I couldn't find anything).

While CBE officials are still investigating the cause of the error, added software and quality control is in place to catch any further malfunction, Marshall said.

Commentary:
The one burning question is why are Social Security numbers present on billing statements to begin with?  Or was this the problem all along, they were never supposed to be anywhere on the billing statement?

Past Breaches:
October, 2007 - University of Texas students exposed on FTP site