- Update: There is apparently more to the MO HealthNet data breach reported in August than we initially thought, as instead of impacting 1,357 patients, the breach actually affected more than 25,000 patients. And, according to St. Louis Public Radio, the breach actually dates from December 2009 (instead of October 2011) to June 2013.
As a result of a software programming error on the part of a contractor on June 6, MO HealthNet is currently notifying 1,357 patients that their personal information was inadvertently exposed. The contractor, Infocrossing, Inc., mistakenly mailed the information to the wrong address.
MO HealthNet reports to the Department of Social Services and purchases and monitors healthcare services for low-income citizens of Missouri. In addition to MO HealthNet alerting affected patients through letters, the organization, through Infocrossing, is offering affected consumers two years of free continuous credit monitoring services and enhanced identity theft consultation and restoration.
Potentially-compromised information, according to ConnectedMissouri.com, included name, date of birth, MO HealthNet identification account number (DCN), county name, phone number and the last four digits of the Social Security number. The information in the errant letter included MO HealthNet Managed Care Program data from October 16, 2011 to June 7, 2013. MO HealthNet said in the article that it has since identified and corrected the software error.
This is a broken record at this point, but it’s hard to make the case that better training wouldn’t have helped vet out the software issues. Though human error will always be a part of data breaches, mistakes such as sending patient information to the wrong addresses are preventable if organizations and vendors are careful to inspect how they handle and communicate sensitive data on a continual basis.
Moreover, assuming MO HealthNet is a covered entity, InfoCrossing should be serving as its business associate (BA). Do the two organizations have a business associate agreement (BAA) in place?