A California health department apologized Monday for releasing the Social Security numbers of around 18,000 doctors.
The mix-up started when the insurance company Blue Shield of California gave a list of health-care providers to the state agency but forgot to take out their private information. The Department of Managed Health Care, which regulates the state's health maintenance organizations, then distributed those lists in response to 10 public records requests — also without redacting the Social Security numbers.
"We sincerely apologize and regret any inconvenience this incident has caused you," Sarah Ream, of the Department of Managed Health Care, wrote to the doctors. She said they weren't aware of any cases of identity theft but offered them all free subscriptions to a fraud-alert service. "We also recommend that you place fraud alerts on your credit files."
The California Department of Managed Health Care isn't the only government agency that has ever disclosed sensitive personal information to the world. It seems this kind of thing happens all the time. In 2013, the Internal Revenue Service released more than 2,000 Social Security numbers belonging to random taxpayers that were also published on an open government website. And it happened again in Wisconsin and again in New York.
"As a result of this incident, the DMHC and Blue Shield have instituted additional protections to safeguard against future inadvertent disclosure of confidential personal information," the agency's letter to doctors said. The safeguards include purchasing software that scans data files for private information and reminding health insurance companies not to include Social Security numbers in public records. "Likewise," they said, "Blue Shield has comprehensively revised its procedures for preparing and submitting provider rosters to the DMHC."