ALBANY Some applicants to the New York health insurance exchange saw their email addresses revealed this week in a message reminding them of a March 31 enrollment deadline.
The automated email sent by the exchange on Monday went to New York residents who completed an online application process but hadn't yet enrolled in insurance coverage. The message didn't make use of the blind carbon copy feature, allowing recipients of the email to see the addresses of others who received it.
It wasn't clear Wednesday how widespread the apparent privacy breach was.
There are 328,641 state residents who submitted an application and didn't yet enroll, the Department of Health announced Tuesday. But the email was sent to just 100 recipients at a time, according to several copies of the message obtained Wednesday by Gannett's Albany Bureau.
In a statement, the state Department of Health said the email reminder went to a "small group of individuals," but didn't say how many.
"Other than the email addresses, no identifying information was included in the email," the health department's statement reads. "We have investigated the cause of this error and have taken steps to prevent it from occurring again."
The email was to remind applicants to the exchange that they would have to elect an insurance plan and provider by March 31 in order to receive coverage in 2014. For those who enroll ahead of the deadline, their coverage would begin May 1.
The state's health exchange – which is essentially an insurance marketplace -- launched in October as part of the federal Affordable Care Act.
There were numerous complaints about the apparent breach on Twitter and other social media. Some users posted copies of the email online, redacting the names of the recipients.
Several sent tweets directly to the health exchange's official Twitter account -- @NYStateofHealth.
"Really @NYStateofHealth?" wrote Robbie Rozelle, a Johnson City, Broome County, native now living in New York City. "You send out a mass email without blind-copying?"
Lavonne Hall, a 44-year-old photographer from New York City who received the reminder, said she called the exchange's help line to raise concerns about the email. When she became disconnected, she took to Twitter to air her complaint.
"There was one (email) that went out last week, and you couldn't see other email addresses," Hall said in a phone interview Wednesday. "Then this one came in and I saw this long list of names, and I thought, what the heck is this?"
As of Tuesday, 995,038 people had completed the exchange's application process, the first step in enrolling in coverage through the marketplace. Of those, 666,397 completed the enrollment process, with 327,020 enrolling in private plans and 339,377 placed on Medicaid.
"The marketplace is required to keep your information private, share your information only when we need to and follow the privacy practices in this notice," the policy reads.
2 On Your Side contacted Richard Dvorak, a health care attorney with Kansas-based EMR Legal, Inc., a HIPAA compliance consulting firm. With extensive knowledge of the intricacies of HIPAA -- as well as experience consulting in the state of New York -- Dvorak said the email breach is "a potential problem."
Dvorak said there are only two instances in which an entity could release any personal information. First, it could occur if the individual authorizes it. Secondly, it could occur if it pertains to treatment, payment or health care operations, which do not seem to apply in this case, according to Dvorak.
"Revealing the identity of other individuals who are also subscribers -- to each and every one of them -- would not seem to fit into one of those two permitted categories."