- The protected health information (PHI) of 1,622 Colorado residents was exposed when letters containing the sensitive information were sent to the incorrect households. The data breach, which affected patients who receive state healthcare benefits, was addressed in a press release by the Colorado State Department of Healthcare Policy and Financing.
According to the statement, the data breach notification letters were sent between May 25 and July 5. The mistake was discovered on July 1 when a resident reported receiving a letter containing PHI that was not intended for that individual, and the technical error was immediately corrected by July 5.
Each letter contained sensitive patient information, and may have included names, addresses, state identification numbers or Medicaid ID numbers, family member names, employers’ names, income, amount of Advanced Premium Tax Credit (APTC), and whether or not residents were approved for various state healthcare programs. Dates of birth for approximately 50 individuals were also disclosed.
While the Department’s press release emphasized that none of the letters disclosed Social Security numbers, the Denver Post reported that they were disclosed in 1,069 cases where individuals received benefits through the Department of Human Services.
To remedy the incident, the Department has issued notification letters to all affected individuals. Additionally, they will be providing free credit monitoring to affected individuals. According to the Denver Post, Deloitte was contracted by the state to conduct these mailings that were mishandled, and therefore will be paying for the credit monitoring.
The Department maintains that there is no evidence to suggest that the disclosed information was mishandled.
“The Department and its partners take the privacy of our members’ information very seriously and is notifying those impacted by this breach,” said Susan E. Birch, MBA, BSN, RN, executive director. “The Department in partnership with its vendors, has taken additional steps to prevent future errors.”
This was not the first incident of mishandled mail for the state government of Colorado. The Denver Post reports that in March, 2,900 individuals receiving food stamps or other assistance experienced a data breach, which was also caused by a computer malfunction that sent the information to the wrong addresses.
Mishandled mail is unfortunately a common way for PHI to be improperly disclosed. Approximately one year ago, a VA Montana Healthcare System patient received a letter containing someone else’s personal information, while his was sent to the incorrect location, as reported by HealthITSecurity.com. The disclosed information included names, addresses, dates of birth, Social Security numbers, and medical conditions.
The incident was blamed on human error, and the VA Montana Healthcare System took appropriate measures to ensure that the incident would not occur again, including reassigning the individual responsible.
“When humans are involved, it’s completely possible humans make mistakes,” said Randy Martin, VA Montana Healthcare System Public Affairs Officer. “It is not acceptable any time it happens.”