Misdirected faxes, emails a top source of Medicaid data breaches

State Medicaid agencies had 1,260 data breaches in 2016, many of which were the result of misdirected communications that sometimes exposed the information of beneficiaries in letters, emails and faxes. In many cases, information was simply sent to the wrong place, such as the wrong beneficiary or physician office.

In fact, breaches as a result of hacking or other IT incidents were rare in 2016, according to a report from the HHS Office of Inspector General.

Data breaches, defined as the acquisition, access, use, or disclosure of protected health information, can leave beneficiaries vulnerable and expose the Medicaid program to potential fraud.

Of the Medicaid breaches in 2016, 88 percent were from unauthorized access or disclosure in misdirected communications and employee actions. Just 5 percent, or 68 breaches, were the result of theft, 4 percent were from loss of records and less than 1 percent were caused by improper disposal of records. The fewest number of breaches—nine—resulted from hacking.

Data breaches varied widely, from the number of people affected, the kind of information disclosed and how it happened. Approximately 515,000 beneficiaries and other individuals were affected by breaches in 2016, according to OIG. Nearly two-thirds of breaches involved a single person and about 30 percent were disclosures that affected between two and nine beneficiaries.

Among the breaches with potential to cause harm was a beneficiary whose drug test results were disclosed to an ex-girlfriend. Another individual’s address was disclosed to an ex-boyfriend who had previously “stalked and assaulted the beneficiary,” according to the report.

Just 1 percent of breaches affected 500 or more beneficiaries. One specific breach affected about 370,000 beneficiaries, caused by an individual who “hacked the computer server of an MCO’s business associate and had access to names, dates of birth, diagnosis information and Social Security numbers." However, there was no evidence the individual intended to use the information fraudulently, the state concluded.

OIG collected data breach information from Medicaid agencies and contractors from 2016 to conduct its report.

Amy Baxter

Amy joined TriMed Media as a Senior Writer for HealthExec after covering home care for three years. When not writing about all things healthcare, she fulfills her lifelong dream of becoming a pirate by sailing in regattas and enjoying rum. Fun fact: she sailed 333 miles across Lake Michigan in the Chicago Yacht Club "Race to Mackinac."

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.