Even though online hacks and security breaches have become regular headline news, other, more traditional data privacy issues are still a threat. The NBC Bay Area Investigative Unit has found when it comes to workers’ compensation, holding companies accountable for information security can be challenging.
When Don Thorvund unexpectedly got hurt on the job, he went through the proper channels to get treatment through a workers’ compensation claim. But when he opened the envelope for what he thought was his settlement documents, he found someone else’s worker’s compensation paperwork. The documents included the stranger’s personal information such as her social security number, home address and injury information.
Don had no idea where is own information was sent.
“They know my medical history, they know where I live and I believe they have my social security number,” Don said. “No one wants their information breached, nobody wants that to have an impact on future employment.
He called his insurance company, who told him it had hired a third party company to assist with paperwork and that it was the company WorkComp Resolutions that had sent out this envelope.
Don says when he contacted the company, located in Anaheim Hills, he was told interns had stuffed the envelopes that day, but that was all they knew.
The Investigative Unit contacted WCR’s CEO, David Bowen, who said on the phone that this is the first time this has happened and that he does not believe anyone else was affected.
“They couldn’t tell me how many copies of my information were made,” said Don. “They couldn’t tell me where my information went, they couldn’t tell me whose envelopes were stuffed that day.
The Investigative Unit contacted the woman whose information was sent to Don. She did not want to talk on camera but told the Investigative Unit she also received incorrect paperwork. She said she does not recall to whom it belonged because she threw it out.
WCR ended up purchasing him a year of LifeLock identity protection after Don hired legal representation, but he still worries about where his information went and wants to know why the law does not protect him in this scenario.
“They’re not going to do anything to change unless people understand that your information is at risk and we make changes to the law,” he said.
The Health Insurance Portability and Accountability Act, or HIPAA, protects individuals’ medical records and other personal information from being shared by health care providers. There is an exception in the rule for some transactions by workers’ comp insurance companies and the third party companies who handle paperwork, allowing them to share certain information with employers that is pertinent to their injuries on the job. However, that does not mean these workers’ comp companies can send information out to anyone.
“I think of HIPAA like Swiss cheese: it’s full of holes everywhere,” Rainey Reitman with the Electronic Frontier Foundation, told the Investigative Unit.
Reitman serves as the director of the Activism Team for the non-profit. EFF’s website states its mission as “defending civil liberties in the digital world.”
Reitman says HIPAA does not apply in these types of cases.
“A lot of people think of HIPAA as this very strong law that is going to make sure that their medical information doesn’t get out there, but HIPAA actually doesn’t work like that at all. In fact it doesn’t really cover workers comp people at all,” Reitman said.
According to a database from Privacy Rights Clearinghouse, which Reitman helped create, there are thousands of cases of security breaches, many like Don’s.
The database shows at hospitals in Wisconsin and Indiana, errors by a third-party resulted in patients’ information being sent to the wrong address. Patient names, addresses, account numbers, dates of services and financial status were exposed.
“I wish I could say I was surprised, but unfortunately I hear about these things every day,” Reitman, who helped create the database, told the Investigative Unit. “I think he [Don] is the tip of the iceberg.
The Investigative Unit contacted the CA Department of Industrial Relations who passed us onto the Attorney General. The Attorney General directed our calls to Consumer Affairs, who directed us back to DIR and also suggested Don contact local law enforcement.
DIR also said it has no jurisdiction over HIPAA or state privacy laws.
Attorney Sue Borg, a partner at DuRard, McKenna and Borg, a workers’ compensation law firm in San Mateo, told the Investigative Unit these cases happen regularly and there is little recourse.
She says if a victim has direct damages linked to the breach in information, an attorney can help, but those damages could come years down the road and would be difficult to prove.
“It’s really an impossible situation,” Borg said. “The problem is that even though the HIPAA registration created a right to keep your information private, it really didn’t create an individual remedy to do anything about it.
She says HIPAA calls for certain enforcement penalties for noncompliance, but says she has rarely seen them enforced.
“It doesn’t present much of an incentive for any of these insurance companies and people that are holding this information to be very careful about how they are handling it,” she said.
“There’s no accountability,” Don said. “In the long run, I just hope other people aren’t put in the same spot.
Do you have a tip for the Investigative Unit?
Email us: TheUnit@nbcbayarea.com
Tweet us: @TheUnitNBC, @jennasusko, @putnamproducer