Security Information (EyeMed/Orrick)

August 31, 2023

IU Health Plans reports security incident by third-party vendor’s law firm

IU Health Plans announced today that the law firm of its network vision manager, EyeMed, recently experienced a security incident. The law firm, Orrick, Herrington & Sutcliffe, LLC (Orrick), served as legal counsel to EyeMed during its 2020 security event.

In relation to this representation, Orrick detected that an unauthorized third party gained access to a portion of its network between February 28 and March 13, 2023, including a file used to store certain client files of EyeMed containing IU Health Plan vision benefit plan members’ information. IU Health Plans first learned of this incident on June 29, 2023, and promptly initiated a review at that time.

Orrick immediately took steps to block the unauthorized access and initiated its response process, including launching an investigation of the incident with the support of a third-party forensics firm. Orrick also notified law enforcement. In addition to these actions, Orrick deployed additional security measures and tools with the guidance of third-party experts to strengthen the ongoing security of its network.

IU Health Plans began notifying affected members on August 31, 2023. The information affected by the Orrick security incident may have included: member name, address, date of birth, phone number, email address, vision insurance account/ID number, health insurance account/ID number, health insurance account/ID number, and full or partial Social Security numbers. IU Health Plans wants to ensure that its information is protected, and Orrick will be offering free credit monitoring to those IU Health Plans members impacted.

If you have any questions, please call toll-free at 866-347-7897, Monday through Friday from 9:00 am to 6:30 pm Eastern Time, excluding major U.S. holidays. Callers who are deaf, hard-of-hearing, or speech-disabled may utilize their TeleTYpewriter (TTY) or Telecommunication Device (TDD) to access an operator at 866-347-7897, Monday through Friday, from 9:00 am to 6:30 pm Eastern Time, excluding major U.S. holidays.

Security Information (EyeMed/Orrick)

August 31, 2023

IU Health Plans reports security incident by third-party vendor’s law firm

IU Health Plans announced today that the law firm of its network vision manager, EyeMed, recently experienced a security incident. The law firm, Orrick, Herrington & Sutcliffe, LLC (Orrick), served as legal counsel to EyeMed during its 2020 security event.

In relation to this representation, Orrick detected that an unauthorized third party gained access to a portion of its network between February 28 and March 13, 2023, including a file used to store certain client files of EyeMed containing IU Health Plan vision benefit plan members’ information. IU Health Plans first learned of this incident on June 29, 2023, and promptly initiated a review at that time.

Orrick immediately took steps to block the unauthorized access and initiated its response process, including launching an investigation of the incident with the support of a third-party forensics firm. Orrick also notified law enforcement. In addition to these actions, Orrick deployed additional security measures and tools with the guidance of third-party experts to strengthen the ongoing security of its network.

IU Health Plans began notifying affected members on August 31, 2023. The information affected by the Orrick security incident may have included: member name, address, date of birth, phone number, email address, vision insurance account/ID number, health insurance account/ID number, health insurance account/ID number, and full or partial Social Security numbers. IU Health Plans wants to ensure that its information is protected, and Orrick will be offering free credit monitoring to those IU Health Plans members impacted.

If you have any questions, please call toll-free at 866-347-7897, Monday through Friday from 9:00 am to 6:30 pm Eastern Time, excluding major U.S. holidays. Callers who are deaf, hard-of-hearing, or speech-disabled may utilize their TeleTYpewriter (TTY) or Telecommunication Device (TDD) to access an operator at 866-347-7897, Monday through Friday, from 9:00 am to 6:30 pm Eastern Time, excluding major U.S. holidays.

IU Health Plans

Thank you for visiting the IU Health Plans website, we value your opinion on how we can improve your online experience. After you complete your visit, would you be willing to answer a few questions to help us improve our website? Please complete this survey after you have completed your online session.

Yes Maybe Later Never
Find a Doctor or Facility Contact Us
Search
New: access to your health records

Medicare Advantage Plans

New: access to your health records

You can now access and download your Indiana University Health Plans Medicare Advantage health records and search our Provider/Pharmacy Directory using a computer or smart phone.

The Interoperability and Patient Access Rule (“the Rule”) from the Centers for Medicare & Medicaid Services (CMS) requires IU Health Plans to offer and maintain a secure, standards-based way of allowing members to easily access their health records through third-party apps of their choice. These health records include health insurance claims and other information submitted to IU Health Plans by health care providers such as doctors and hospitals and may include cost and other clinical information.

Change Healthcare is the company managing the secure download of your data from IU Health Plans to the app of your choice. To do this, Change Healthcare uses a Patient Access Application Programming Interface (“API”). The Change Healthcare tool you will use to do the download is called Connected Health™️.

For more information on what you can do with your health records when you download them, check out the information at https://www.healthit.gov/how-t... 

This feature is not currently available for members of our commercial group health plans.

Choosing an app

  • The Rule does not allow IU Health Plans to require or recommend an app to our members.
  • The app you choose should protect the privacy and security of your health information. Once your health information is downloaded to the app of your choice, IU Health Plans can no longer protect it. Also, the company that provides the app may not be subject to HIPAA privacy and security regulations. See the How to tell if a health records app is private and secure section on this site for more tips.
  • You will also be able to request an app that is not yet listed in the Connected Consumer Health menu, if you prefer, and that app will be invited to participate.

How to tell if a health records app is private and secure

Check the app’s privacy policy, website, and reviews to learn more about its privacy and security.

Note: If the app’s privacy policy does not clearly answer these questions, please reconsider using that app. Health records are very sensitive information, and you should choose apps with strong privacy and security standards.

  • What is the app developer or company’s reputation?
    • How long has the company been in business? Are there positive reviews?
  • What are the app’s security measures?
    • Is it secure enough that no one else can login to your account?
    • Will your health records be stored in way that no one else can access them or identify you?
    • If you no longer want to use the app, is it easy to end the app’s access to your health records?
  • Does the app’s privacy policy clearly explain how the app will use your health records?
    • Will it collect non-health data from your device, such as your location? Can you turn this off?
    • Will it sell your health records or data about your activity on the app for advertising, research, or any other reason? Most consumers do not want their information sold.
    • Will it share your health records or data about your activity on the app for any reason? If so, find out why. Are you ok with this sharing?
    • Does it allow you to limit the app’s use and disclosure of your health records or data?
    • How does the app inform you of changes to their privacy practices?
  • How does the app collect and respond to complaints?
    • How easy is it to contact the app if you have any complaints?

How to get started

Step 1: Log in to your IU Health Plans Member Portal account.

Step 2: Choose Manage My Health Records from the menu. Fill out the form.

Step 3: Look for an e-mail invitation from enroll.connectedhealth@changehealthcare.com. Change Healthcare is the company managing the secure download of your data from IU Health Plans to the app of your choice. The Change Healthcare tool you will use to do the download is called Connected Health™️.

Step 4: Follow the instructions in the invitation. Answer the questions to make sure you are matched to your correct health records.

Step 5: Once you have access to the Connected Health site, select an app to download to. See the Choosing an app and How to tell if a health records app is private and secure sections on this site for more information.

Step 6: Download your information to the app you choose. It may take up to 72 hours to complete the first download. After that, data should download within one business day of IU Health Plans processing a claim.

How to cancel your participation or delete your data

There are several ways to cancel your participation, revoke access to the app, and/or delete health records as part of the Interoperability Patient Access API / Connected Health Portal.

  1. In the IU Health Plans Member Portal, you can cancel future sending of your health records to the Connected Health Portal.
    1. Go to "Manage My Health Records."
    2. Choose "Stop forwarding my personal information."
    3. This stops IU Health Plans from forwarding any new health records to Change Healthcare.
  2. In the Connected Health Portal, you can cancel on a per app basis to stop downloading from the Portal to the app.
    1. This cancels the ability to download to that app only.
    2. This method does not tell IU Health Plans, and so does not stop IU Health Plans from sending your health records to the Connected Health Portal.
  3. In the app itself, you should have an ability to delete your health records.
    1. Delete your health records in the app first.
    2. Delete your account in the app, if available, next.
    3. Lastly, delete the app from your device.
    4. This method does not tell IU Health Plans, and so does not stop IU Health Plans from sending your health records to the Connected Health Portal.
  4. You can call the IU Health Plans Customer Solutions Center to delete your health records from the Connected Health Portal entirely.
    1. Call the IU Health Plans Customer Solutions Center at 800.455.9776 or 317.963.9700 (TDD/TTY 711). Hours are April 1 – Sept. 30: 8 am – 8 pm, Monday – Friday and Oct. 1 – March 31: 8 am – 8 pm, seven days a week.
    2. Request that your health records at Connected Health be deleted.
    3. IU Health Plans submits a support ticket to Connected Health on behalf of the member, to delete your health records entirely.

Frequently asked questions

  • Who oversees the privacy and security practices of health records apps?
    • Most health record apps will not be covered by HIPAA, the law that outlines privacy and security requirements for health information.
    • These apps will fall under the Federal Trade Commission (FTC) and the protections provided by the FTC Act. This Act, among other things, protects against deceptive acts like sharing personal data without permission, despite having a privacy policy that says it will not do so. You can find more information about mobile app privacy and security for consumers here.
  • Who do I complain to if I think my health records app did not secure my data, or the app used my data inappropriately?
    • Submit a complaint to the FTC. Since the Federal Trade Commission (FTC) has jurisdiction over these apps, you should submit a complaint to the FTC using the FTC complaint assistant here.
    • File a HIPAA complaint. Your situation may fall under the HIPAA Privacy, Security, or Breach Notification Rules, or the Patient Safety Act and Rule. HIPAA is overseen by the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR).
      • You can find more information about patient rights under HIPAA and who is obligated to follow HIPAA here.
      • Learn more about filing a complaint with OCR under HIPAA here.
      • Individuals can file a complaint with OCR using the OCR complaint portal here.
    • Report privacy or security concerns to the IU Health Plans Compliance Department at IUHPlansCompliance@IUHealth.org. Though IU Health Plans does not have relationships with the apps you may choose, we would like to hear of any privacy or security issues you may experience.
  • What if I have more questions?
    • Call IU Health Plans Customer Solutions Center at 800.455.9776 or 317.963.9700 (TDD/TTY 711). Hours are April 1 – Sept. 30: 8 am – 8 pm, Monday – Friday and Oct. 1 – March 31: 8 am – 8 pm, seven days a week.
  • I am a health records app developer. How can I register to use the IU Health Plans APIs?
    • App developers can begin the registration process by visiting the Change Healthcare App Registration Portal here.

H7220_IUHMA22711_C