Earlier this month, the Mississippi Division of Medicaid (DOM) announced that over 5,000 Medicaid recipients have had some of their protected health information (PHI) exposed. They stated that the breach occurred via email because of an error with an online form service.
DOM discovered that the online form service was sending emails containing PHI to staff members. These emails were not encrypted, and thus were in violation of HIPAA legislation. The online service was used by staff members to create forms that were posted on its medicaid.ms.gov website. When a form was submitted via the website, emails containing the form information were sent to designated staff members.
Once the emails were received they were securely stored. Despite this security measure, it is possible that the information contained in the emails could have been intercepted in transit. This left it vulnerable to be accessed by unauthorized individuals, and potentially used for malicious purposes. DOM stopped using the online service once the error was discovered and all forms were removed from the website.
The service transmitted six different online forms. Those forms contained the following PHI elements: Names, addresses, phone numbers, dates of birth, email addresses, health insurer names, admission dates, enrolment dates, medical conditions, Medicare and/or Medicaid identification numbers and Social Security numbers. The online form service was used between May 2, 2014 and April 10, 2017. DOM has identified 5,220 patients affected by the breach.
While PHI was exposed because of an innocent error, DOM says there is no reason to believe that any PHI has actually been viewed or obtained by unauthorized individuals. Keith Robinson, DOM’s security officer, said, “It is highly unlikely that the data was compromised since the typical user would not know how to capture it during transmission.” He also explained that at the source and destination the information was secured.
In response to this incident, DOM will be strengthening its technological safeguards to prevent any future incidents of this nature from occurring. DOM’s policies and procedures relating to privacy and security will also be revised.
DOM has sent breach notification letters to all individuals affected by the incident have been notified by mail, in accordance with HIPAA’s Breach Notification Rule. No credit monitoring or identity theft protection services are being offered due to the low risk of data compromise, although impacted individuals have been advised to check their credit reports carefully.