OIG’s Medicaid Data Breach Report for 2016

The Department of Health and Human Services’ Office of Inspector General (OIG) issued a new report stating that most Medicaid data breaches are rather minor and just impact a very limited quantity of people. For the report, OIG looked at all the breaches that Medicaid agencies and their contractors reported in 2016. Based on the report, there were 1,260 breaches in 2016 where the data records of 515,000 Medicaid beneficiaries were compromised.

Roughly 2/3 of the 2016 reported Medicaid data breaches affected one person while 29% of the breaches affected 1 to 9 persons. 1% of the total breaches are large-scale breaches, which affect 500 or more persons.

Although the causes of the breaches highly varied, the majority were due to very simple mistakes like misaddressing a letter, email or fax. Breaches like those just caused the exposure of very limited amount of PHI, for instance the Medicaid ID, beneficiary name or other ID number. Of the 1,260 breaches, 303 had exposed Social Security numbers and 23 had exposed financial details. A big percentage of the healthcare data breaches were because of hackers, but only 9 hacking incidents in 2016 exposed Medicaid information.

OIG stated that past reviews focused on determining vulnerabilities in information systems and controls of states that can possibly be used to access Medicaid systems and information. This current review focused on the breach response whenever security incidents take place. An effective breach response could restrict the possible harm like identify theft.

Besides analyzing Medicaid data breaches, OIG evaluated the breach response policies and procedures being implemented in 50 states and the District of Columbia. Most of the U.S. states adopted a common breach reporting framework. This includes investigating breaches and their extent, the best method of responding to data breaches, how to safeguard breach victims, and determining the actions to take to fix vulnerabilities to avoid other security breaches. OIG additionally evaluated the responses to every breach in the nine states to better understand breach response processes.

OIG observed the slight variation of breach response processes from state to state, but all entities still meet the HIPAA requirements and state laws. All breach reports were submitted to the HHS’ Office for Civil Rights to satisfy the HIPAA Breach Notification Rule requirement. However, many states did not consistently inform the Centers for Medicare & Medicaid Services (CMS) separately, even if it is required by the CMS since 2006.

OIG thinks that perhaps this was because the HIPAA Breach Notification Rule was introduced in 2009. Failing to report Medicaid breaches to the CMS hinders the agency’s capability to keep track of data security issues across the country. This makes it more difficult to recognize multi-state data breaches and figure out when best practices and guidance must be given to resolve common data security problems.

To fix the problem, OIG advised the CMS to issue up-to-date guidance for Medicaid agencies and their contractors and outline the conditions that require a separate breach notice to be submitted to the CMS.

CMS agreed with the suggestion, but said that since 2006 Medicaid agencies and contractors already know about the reporting requirements of the State Medicaid Director Letter.