School employees have data disclosed in security breach
STORY
The Indian River County School District is blaming PlanSource, a third-part vendor, for a security breach that revealed Social Security numbers of some school employees to other employees in the course of mailing out tax forms for the district’s self-insured health insurance plan.
PlanSource was hired to generate Internal Revenue Service 1095-C forms, a required document that verifies employee health insurance and reports if other family members are covered on the plan.
A School District email to employees sent March 10 states, “On March 3, 2017, the School District of Indian River County was notified that the Vendor that was contracted to produce the Form 1095-C for District employees made some errors (about 3.5 percent of the forms) regarding the information contained on those forms.
“This included the release of some Social Security numbers. ... It appears that the error was caused by a misapplication of information that was provided to the Vendor by Florida Blue. This does represent a security breach on their part.
“The District is in communication with the Vendor to ensure that all State and Federal requirements are honored with regards to security breach remedies and credit monitoring services for affected employees. When we have finalized details on this, it will be shared.”
An email sent to teachers by Indian River County Education Association President Liz Cannon revealed the third-party vendor to be PlanSource.
The School District sent out an earlier email to employees March 3, informing them the 1095-C forms had been mailed the day before and an employee had already reported errors. That email, too, shirked blame, stating “the forms were provided by a third-part vendor (not the District).”
Employees were asked to contact Mike Smeltzer if they found errors, but Vero Beach 32963 was contacted by several people who said no one answered the phone number that was given, or responded to their emails, when they tried to contact Smeltzer, a member of the district benefits team.
An anonymous source submitted a list of 24 employees who were affected, some reporting that up to four names and Social Security numbers were listed on the forms they received of people they didn’t know. Others reported their children were listed twice with different Social Security numbers, both wrong except for the last four digits.
“I have yet to receive a response from anyone at district headquarters as to how my family’s identities will be protected as I suspect my information was probably shared with someone as well . . . several of us feel this is a serious breach of personal information,” another employee said, who also wished to remain anonymous.
The Affordable Care Act requires employers with 50 or more full-time employees to report each employee’s health coverage to the IRS on the 1095-C. A separate copy is to go to the employee.
Last year the School District had 1,876 employees on its health insurance plan. If errors occurred on 3.5 percent of forms, that would be 65 forms, though there could have been multiple errors and Social Security number breaches on each form. PlanSource did not respond to a request for comment.