The mistake affected patients who had applied for a new health savings account insurance plan, said Gayle Tuttle, a spokeswoman for the Chapel Hill-based insurer. Tuttle said the mailing label on a welcome letter that was sent out to 629 people contained a tracking number with 11 digits, nine of which were the members' Social Security numbers.
As part of a broader bid to enhance data privacy, Blue Cross has been using new subscriber numbers instead of Social Security numbers to identify patients, Tuttle said. Even so, there is still a "linking" that goes on internally between the subscriber IDs and Social Security numbers, and that may have contributed to the error, she said.
The problem was discovered on Jan. 30, and two days later, letters were sent to the affected individuals informing them of the security breach. "We are taking this very seriously," Tuttle said. "But this affects only a very tiny percentage of our members."
In the wake of the incident, Blue Cross is looking at its internal processes to see how such mistakes can be avoided in the future, Tuttle said without elaborating.
The breach at Blue Cross is similar to one involving The Boston Globe two weeks ago and another case involving tax preparer H&R Block Inc. in Kansas City, Mo.
In the Globe incident, information about more than 200,000 subscribers was inadvertently exposed when the Worcester Telegram & Gazette, a sister publication in Worcester, Mass., reused paper containing names, credit card numbers and bank account information to print routing labels that were attached to newspaper bundles.
In mid-December, H&R Block accidentally embedded Social Security numbers in 47-digit tracking numbers on packages used to mail free copies of its TaxCut software to former clients as part of a marketing campaign. The breach was reported by someone who received a package, and letters were sent to all of the affected individuals on Dec. 22, according to H&R Block spokeswoman Denise Sposato.
The snafu was the result of an "inadvertent human error," Sposato said. H&R Block has completed an investigation into what happened and has fixed the problem, she said, declining to provide further details.