They signed up for health insurance on the state exchange.
But about 3,200 Washingtonians, all of whom were nearing age 65, also got something they didn’t ask for. Their contact information was stolen by a contractor and provided to a Spokane-area insurance company, which used it to target sales pitches for Medicare-related insurance products.
The state has fired the contractor associated with the breach, along with an unspecified number of “individuals directly associated with the (insurance) agency,” and referred the matter to investigators with the Washington Office of the Insurance Commissioner and federal Medicaid officials.
The personal data that was taken and “illegally provided” to the insurance company was contact information, officials said – names, addresses, emails, ages and dates of birth. No financial information or Social Security numbers were involved, according to the Washington Health Benefit Exchange.
The stolen information came from customers who were about to “age into Medicare,” the federal health insurance program. Insurers sell many kinds of supplemental insurance products designed to bolster Medicare coverage, such as so-called Medigap plans. Federal Medicare regulations prohibit “unsolicited direct contact” in marketing such plans.
Officials with the exchange alerted customers by letter in late April, and are urging anyone who receives an unsolicited sales pitch about any Medicare-related insurance to report it to the insurance commissioner’s office.
“We are working with investigators at the state and federal level to get to the bottom of this,” said Michael Marchand, chief marketing officer for the exchange.
Neither Marchand nor a state insurance commissioner spokesman could provide many details about the case, including the name of the insurance company or the individual who took the contact information.
Insurance commissioner spokesman Steve Valandra confirmed that the office intended to open an investigation, but said it was unclear whether it would stay with his office or become a federal matter. A representative of the Centers for Medicaid and Medicaid Services did not respond to a request for comment this week.
The issue centers around the work of an individual who was hired as a “navigator” for the state exchange, as well as others affiliated with a single Spokane area insurance agency. Navigators are hired to help people apply for insurance through the Washington Healthplanfinder system; they are trained and certified by the state to help people negotiate the complicated process of finding an insurance plan on the exchange through the Affordable Care Act.
Exchange officials notified clients of a “potential privacy issue” in a letter dated April 23 and signed by Marchand. The letter said an audit had revealed that the navigator, a third-party contractor, had “illegally provided contact information of consumers aging into Medicare to a Spokane-area insurance agency with which he is affiliated.”
Marchand said that, in addition to the improper handling of personal information, the Navigator’s affiliation with the insurance company was improper.
“You can’t do both,” he said.
It’s not clear what the insurance agency did with the information, but Marchand said at least one exchange customer contacted the state after receiving an unsolicited pitch for Medicare-related insurance.
He said the data theft was a clear violation of the agency’s standards.
When it comes to personal information, he said, “You can’t share it, you can’t use it, and you can’t know of people sharing and using it without reporting it.”