- A Medicaid data breach and a separate data security incident were reported at two facilities recently, further showing why organizations that handle patient data need to have comprehensive and current data security plans in place.
HIPAA covered entities need to be especially vigilant, as they are typically handling medical information, along with financial data and Social Security numbers. However, it is not always possible to prevent a data breach, which is why it is also important to have proper data breach notification systems in place, so individuals can take the necessary steps to prevent issues such as medical identity theft.
North Carolina DHHS reports Medicaid data breach
For the second time in as many years, the North Carolina Department of Health and Human Services (DHHS) reported a potential Medicaid data breach. This most recent incident occurred when , a DHHS employee "inadvertently sent an email to the Granville County Health Department without first encrypting it," according to agency spokeswoman Kendra Gerlach.
Gerlach explained to WRAL that the Medicaid data breach took place on August 19, but the public was not notified until October 16. The delayed data breach notification was because DHHS "must investigate thoroughly and ensure there is full understanding before determining next steps."
The unencrypted email reportedly contained a spreadsheet with Medicaid recipients’ PHI. Information included first and last name, Medicaid identification number (MID), provider name and provider ID number, and other information related to Medicaid services. Approximately 1,615 individuals had their data compromised, but DHHS added that only two Social Security numbers were compromised and no dates of birth.
While the correct recipients received the email, DHHS explained that it cannot say with certainty that the email was not intercepted. However, there has also been no indication that the spreadsheet was intercepted by unauthorized parties.
As previously mentioned, this is not the first Medicaid data breach reported by DHHS. In January 2014, 48,752 Medicaid patients were notified that their information was compromised after Medicaid cards were sent to the wrong recipients. The cards were meant to be sent to children.
Information on the cards included children’s names, Medicaid identification numbers, dates of birth and the names of their primary care doctors. The incorrect mailing reportedly happened because of human error in quality assurance and computer programming.
“I deeply apologize for the impact that this has caused to the citizens of the state,” DHHS secretary Aldona Wos explained at the time. “First and foremost, I firmly believe as secretary, that it is my obligation to ensure that the children and families we serve receive their health care … in a protected and secure environment.”
California corporation releases ‘data disclosure notice’
California not-for-profit Community Catalysts of California, Inc. recently reported that a flash drive containing certain client information was stolen from an employee’s residence. The drive potentially contained names, addresses, diagnoses, dates of birth, ages, and gender and/or telephone numbers for certain current and former clients. However, driver’s license information, state identification, health insurance or financial account numbers were not included.
“We take the privacy and security of the information in our possession very seriously and we deeply regret these circumstances and are committed to keeping impacted individuals informed,” read a Community Catalysts statement.
It does not appear that the organization is a HIPAA-covered entity, but it is still concerning that the information was potentially compromised. It also still serves as a good reminder to healthcare organizations that employees must be properly trained in how to properly transfer and store sensitive information. Physical safeguards and administrative safeguards are essential pieces to keeping patient information secure.
According to its website, Community Catalysts “provides services and advocacy for people with disabilities and Veterans.” This includes assistance in several areas, such as mental health support, recreation, client advocacy, education, healthcare support, housing, and employment.
“We have taken steps to prevent this type of event from happening again, including retraining our employees on using encrypted device, as required by our company policy,” Community Catalysts explained. “We are also reviewing our data retention practices to ensure that we are not retaining any documents longer than necessary in order to provide services to our clients.