- There are more health data breach problems in Utah, as the Utah Department of Health reports that a USB memory stick with 6,000 Medicaid recipients’ protected health information (PHI) has been lost. A third-party contractor, Goold Health Systems (GHS), that processes Medicaid pharmacy transactions for the UDOH lost the stick during travel.
This announcement comes about nine months after UDOH had to make a statement that hackers had broken into a government server. As EHRIntelligence.com reported last spring, the breach compromised the data of 780,000, including the Social Security numbers of about 280,000 of them. Utah’s Stephen Fletcher, Director of the Department of Technology Services, was terminated as a result of the breach.
This time, the UDOH says the data on the USB stick was limited to Medicaid recipient’s names, Medicaid identification numbers, age and recent prescription drug use and that Social Security numbers and financial data wasn’t included.
While this is a smaller breach than UDOH experienced back in the spring, it’s alarming that this is the second breach in less than a year and that a contractor was allowed to travel with PHI. It has to be exasperating for an organization that has been the poster child for large data breaches over the past year.
Ironically, Utah Senator Stuart Reid suggested there be a health privacy bill to be passed in Utah for heftier data security protection back in the fall.
According to heraldextra.com, the GHS employee struggled with her Internet connection Thursday while trying to upload the data to a server, saved the PHI to a memory stick and lost the stick while traveling between Salt Lake City, Denver and Washington, D.C. The employee has since been terminated after violating both Health Department policy and the GHS contract. UDOH is in process of sending out letters to affected individuals and figuring out what went wrong. UDOH spokesman Tom Hudachko Hudachko, according to the Herald, said the breach is frustrating for the department:
…because we’ve essentially spent the last nine months responding to the breach that we had last year.” He said that in the past nine months, the department has tried to figure out where to strengthen its system, enacted more than 100 new policies and trained almost 400 employees in data protection.