Willis North America recently began notifying an undisclosed number of employees that their personal information may have been exposed when a health plan administrator mistakenly attached a spreadsheet containing sensitive data to an e-mail sent on March 19, 2014 to company employees who were enrolled in the Willis North America Medical Expense Benefit Plan’s Healthy Rewards Program, to remind them of an upcoming deadline to earn wellness credits (h/t PHIprivacy.net).
The spreadsheet contained the affected employees’ names, company e-mail addresses, birthdates, Social Security numbers, employee ID numbers, office locations, and internal administrative coding information.
“The error was recognized within minutes, and the plan took immediate and extensive remedial action to try to avoid any misuse of information,” Willis chief risk and compliance officer Ian Ullman wrote in a letter [PDF] to the New Hampshire Attorney General’s Office. “This included tracking and ensuring the deletion of any forwards of the e-mail, blocking the ability to forward the e-mail, and deleting the e-mail from recipient inboxes.”
While the company believes that the data in the spreadsheet wasn’t improperly accessed, and that all copies of the spreadsheet have been deleted, all current employees are being offered two free years of identity theft protection through TrustedID’s IDEssentials service.
“We have determined that this incident was not the result of an intentional or criminal act,” Willis executive vice president Celia Brown wrote in the notification letter [PDF]. “Rather, it was the result of an unfortunate and regrettable, but entirely honest, mistake.”