Sorry, Mr. Smith, you have cancer. Oh, you're not Mr. Smith?Testing oversight: Mismatched contact information in insurer's customer database
Consequence: Blue Cross/Blue Shield sends 202,000 printed letters containing patient information and Social Security numbers to the wrong patients.
Of course, it sounded like a good idea at the time: Georgia's largest health insurance company, with 3.1 million members, designed a system that would send patients information about how each visit was covered by their insurance.
The EOB (explanation of benefits) letters would provide sensitive patient information, including payment and coverage details, as well as the name of the doctor or medical facility visited and the patient's insurance ID number.
Most insurance companies send out EOBs after people receive medical treatment or visit a doctor, but the Georgia Blue Cross/Blue Shield system so muddled up its medical data management functionality that its members were sent other members' sensitive patient information.
According to The Atlanta Journal-Constitution, registered nurse Rhonda Bloschock, who is covered by Blue Cross/Blue Shield, received an envelope containing EOB letters for nine different people. Georgia State Insurance Commissioner John Oxendine described the gaffe to WALB news as "the worst breach of healthcare privacy I've seen in my 14 years in office."
As for the roughly 6 percent of Georgia Blue Cross/Blue Shield customers who were affected, I'm sure they will be heartened by the statement provided by spokeswoman Cindy Sanders, who described the event as an isolated incident that "will not impact future EOB mailings."
It's a mantra Georgia Blue Cross/Blue Shield customers can keep repeating to themselves for years as they constantly check their credit reports for signs of identity theft.
Testing tip: Merging databases is always tricky business, so it's important to run a number of tests using a large sample set to ensure fields don't get muddled together. The data set you use for testing should be large enough to stress the system as a normal database would, and the test data should be formatted in such a way to make it painfully obvious if anything is out of place. Never use the production database as your test set.