Yet Another Medicaid Breach; Emory Loses Back-up Discs
This April appears to have been designated "National Breach" month. In what is the second massive breach of Medicaid data this month, over 200,000 South Carolina Medicaid beneficiaries have been notified of a breach of their health information. The South Carolina Department of Health and Human Services discovered on April 10 that an employee had emailed 17 spreadsheets of beneficiary health information to his personal email account, including names, addresses, social security numbers and Medicaid ID numbers, but no medical information.
The former employee and project manager, Christopher Lykes, has since then been fired and arrested, charged with five counts of confidentiality violations under the South Carolina Medically Indigent Assistance Act, and one count of disclosure of confidential information, according to ABC News, Charleston. According to Department of Health and Human Services Director, Anthony Keck, the records were transferred to at least one other person, although it is unknown yet why the information was accessed.
Investigations showed that the information was available through normal reporting processes, however, Department policies and procedures did not require employees to justify needs for information, which has now been rectified by the Department. An external IT consultant has also been hired to conduct a full risk assessment of all data and IT systems.
As I posted earlier this month (see my previous blog, Utah Medicaid Claims Data Hacked), this is the second Medicaid breach this month. Utah, at least, can blame European hackers for the breach, rather than its own policies and procedures, which has since skyrocketed from its original estimate of 24,000 to almost 800,000 Medicaid beneficiaries or individuals who received health services and whose Medicaid status may have been inquired about by their health care provider, as well as CHIP recipients. This makes it one of the top breaches reported over the past few years. The Utah Department of Health has updated its toll-free number for Medicaid clients to call and added additional information about the breach on its website.
And finally, continuing the April breach theme, Emory Healthcare Systems reported this past week that 10 back-up discs went missing from storage at Emory University Hospital, containing data of 315,000 patients, including likely its own CEO's information. Oops. The data related to surgical patients treated at several Emory facilities from September 1990 through April 2007 and contained names, social security numbers, dates of surgery, diagnoses, and surgical codes, as well as names of surgeons and anesthesiologists.
Patients were notified beginning April 17, although the discs went missing sometime in February. Emory stated in its online notice that it does not believe any of the data was or will be misused, as the backup discs were for an obsolute software system long-deactivated by Emory. However, Emory has offered one year of free credit monitoring and has implemented additional security data control measures.
Along with the recent $100,000 settlement agreement between HHS and a Phoenix cardiac surgeons group, these breaches hammer home the need for a comprehensive HIPAA Compliance Program and periodic risk assessments. See Helen's post last week for the significance of this settlement agreement and the steps covered entities can take to protect themselves against breaches and privacy and security violations.