- An employee error has resulted in a healthcare data breach in Washington, compromising 91,000 Medicaid patient files.
The Washington State Health Care Authority (HCA) recently released a statement explaining the breach, which occurred after an HCA employee mishandled patient information from Apple Health (Medicaid), a provider of free healthcare for low-income individuals.
According to the statement, two HCA employees improperly exchanged patient information from Apple Health when one of the employees was helping the other with a spreadsheet problem. Both employees claimed that the information was not used for any additional purposes, and that no unauthorized users were granted access to the data.
Compromised information reportedly included patients’ Social Security numbers, dates of birth, Apple Health client ID numbers, and private health information.
This event was determined by HCA as a HIPAA violation due to the Privacy Rule violation. Furthermore, because HCA was unable to prove that the information was not spread beyond the state systems, it categorized the incident as a healthcare data breach, and is following through as such.
“While we have no indication that the client files went beyond the two individuals involved, Important privacy laws were violated and we are exercising caution and due diligence given the nature of the information,” said HCA’s risk manager Steve Dotson.
Both individuals involved had their employment terminated. HCA also sent HIPAA data breach notification letters to all potentially affected individuals, per the HIPAA Privacy Rule.
“Our first and foremost priority is protecting our clients’ personal information,” said Dotson. “We have taken swift action to address this issue and help prevent future incidents. I know this is stressful and concerning for those impacted, and we are doing everything possible to support them.”
In addition to sending out data breach notification letters and terminating the two allegedly responsible employees, HCA has performed a thorough examination of the employees’ computers to determine the kind of information that was breached and the extent of the breach. HCA has also set up one year of free credit monitoring for the potentially affected individuals.