Fax sent by United subsidiary causes security concerns

A UnitedHealth Group subsidiary agreed to stop a nationwide pilot program it was using to update practice information after physicians in New York became concerned about the possibility that their personal information could end up in the wrong hands.

Regina McNally, vice president for the division of sociomedical economics for the Medical Society of the State of New York, said several physicians contacted the medical society during the week of April 16 after they received a fax from Ingenix, a wholly owned United subsidiary that focuses on health care information technology and analysis.

McNally said the fax asked for practice information such as e-mail addresses, fax numbers, and whether the practice was accessible to the disabled. But it also contained the names of physicians and staff members, along with their Social Security numbers, tax identification numbers and DEA numbers.

In addition, McNally said one physician indicated the fax contained the names and numbers of physicians and staff who no longer worked in the practice, and a social worker who has never been associated with the practice. "The physician who received it was quite concerned," she said.

Though no physicians reported any identity theft based on the faxes, they said they were worried about the fax-based dissemination of the information, and what would happen if the faxes got into the wrong hands.

McNally said she sent a written request to Ingenix asking that the company follow up with physicians and offer to pay for credit monitoring services for those affected.

AMA Executive Vice President and CEO Michael A. Maves, MD, MBA, sent a letter to Ingenix CEO Andy Slavitt saying that physicians need "assurances as to steps Ingenix will take to avoid creating further doubts" about how the company protects the privacy and security of physician information.

Company to try different approach

Bonnie Mihalko, compliance director for Ingenix, said the company was sending out letters to physicians to disregard the previously faxed request, and she said the pilot program has been canceled.

In the future, she said the company would focus on collecting information through phone calls and letter distribution. Mihalko said Ingenix would handle physician concerns on a case-by-case basis.

"We're listening to the provider community," Mihalko said. "We felt that it was not being well received and we would not receive updates on our demographic information. ... Nothing went wrong."

She said the company was conducting a physician directory verification program when it decided to contact physicians by fax instead of using phones or a letter, which it has done in the past. She would not say how many practices received a fax.

Mihalko said some physicians had indicated that fax was the best method to reach them.

"They want us to fax information because they don't have e-mail or practice management systems that allow us to send information in a secure manner so we have to use either U.S. mail or they request us to send them faxed information," she said.

Mihalko said Social Security numbers were not included as a specific line item on the fax for all physicians. However, she said there may have been some cases when physicians' Social Security numbers would have been included because they use them for their tax identification numbers.

Rob Tennant, senior policy adviser for the Medical Group Management Assn., said that by including Social Security numbers, DEA numbers and other personal identifiers, Ingenix invites an array of fraud opportunities if the information should get into the wrong hands.

"It's critical that health insurers, vendors and other providers ensure that this type of information should not be released," Tennant said. "It's not a HIPAA violation, but it's very important information to the physician as an individual."

Dr. Maves' letter also said Ingenix used vague language in describing how it would use physician information. He wrote that Ingenix should not only convey clearly how the physician information is used but also allow physicians to opt out of the Ingenix directory.